Bugtraq mailing list archives
Re: Insufficient Authentication vulnerability in Asus notebook
From: Ansgar Wiechers <bugtraq () planetcobalt net>
Date: Fri, 15 May 2009 10:56:59 +0200
On 2009-05-14 nameless wrote:
Steve Quan wrote:Is there something like su/sudo in the Windows world ? How do windows administrators handle this (ie accountability) ?There is "runas".
Indeed. There's also a variety of third-party tools like SuperiorSU [1].
There is no accountability with the local admin account. You can disable the account and use domain credentials, but when the domain isn't available, you're screwed, so it is a poor decision.
I wouldn't agree entirely. It depends on who is given the password for the local administrator account. You only have no accountability if more than one person knows that password. [...]
In regards to changing the Admin account name, why make it easy for the kiddiots? It is trivial for any of us to bypass this, right?
Please elaborate. What attack scenarios do you see that aren't mitigated by a strong password? Besides, even if you change the login name, the SID of the account (which is well-known) still remains the same. [...]
Changing the Administrator name is just another layer in the onion of your defensive strategy.
I entirely fail to see what additional security that will gain you, so please explain. [...]
And I'm not trying to be a smart ass, but does anyone really use LM-hashes anymore?
I don't believe they're actually used by anyone anymore. However, the use of LM-hashes is still enabled by default on any XP. [1] http://www.stefan-kuhr.de/cms/index.php?option=com_content&view=article&id=62&Itemid=73 Regards Ansgar Wiechers -- "The Mac OS X kernel should never panic because, when it does, it seriously inconveniences the user." --http://developer.apple.com/technotes/tn2004/tn2118.html
Current thread:
- Insufficient Authentication vulnerability in Asus notebook MustLive (May 14)
- Re: Insufficient Authentication vulnerability in Asus notebook Jeremy Brown (May 14)
- Re: Insufficient Authentication vulnerability in Asus notebook Mike Vasquez (May 14)
- Re: Insufficient Authentication vulnerability in Asus notebook Susan Bradley (May 14)
- Re: Insufficient Authentication vulnerability in Asus notebook nameless (May 14)
- Re: Insufficient Authentication vulnerability in Asus notebook Ansgar Wiechers (May 14)
- Re: Insufficient Authentication vulnerability in Asus notebook Susan Bradley (May 14)
- RE: Insufficient Authentication vulnerability in Asus notebook Mike Wilson (May 14)
- RE: Insufficient Authentication vulnerability in Asus notebook Steve Quan (May 14)
- Re: Insufficient Authentication vulnerability in Asus notebook nameless (May 14)
- Re: Insufficient Authentication vulnerability in Asus notebook Ansgar Wiechers (May 19)
- Re: Insufficient Authentication vulnerability in Asus notebook nameless (May 14)
- RE: Insufficient Authentication vulnerability in Asus notebook Jim Harrison (May 19)
- Re: Insufficient Authentication vulnerability in Asus notebook Jeremy Brown (May 14)
- Re: Insufficient Authentication vulnerability in Asus notebook Daniel Hazelton (May 14)
- <Possible follow-ups>
- Re: Insufficient Authentication vulnerability in Asus notebook Bob Fiero (May 14)
- RE: Insufficient Authentication vulnerability in Asus notebook Mike Wilson (May 14)
- Re: Insufficient Authentication vulnerability in Asus notebook Susan Bradley (May 14)
- Re: Insufficient Authentication vulnerability in Asus notebook Bob Fiero (May 19)
- Re: Insufficient Authentication vulnerability in Asus notebook Susan Bradley (May 19)
- Re: Insufficient Authentication vulnerability in Asus notebook Just1n T1mberlake (May 19)