On Mon, 22 Apr 2002, Gregory G. Dyess wrote:
Bullshit. Domain admins must be able to log into any machine in the domain
with privs to fix local problems.
That doesn’t mean they need to use a sensitive account; all they need is
local Admin access.
Whatever the OS, whatever its security evaluation, you must never enter
your credentials into a compromised machine. It’s that simple. It’s true
in VMS. It’s true in NT. It’s true in *nix. Once a machine is
compromised, it’s not safe to use.
Oh well, it looks like this thread has reached the point at which we must
all agree to respectfully disagree on the topic of security and how much of
a threat it is to be able to capture another user’s username/password. I’ll
say no more on the topic.
No-one’s saying it’s not a threat. It is a threat – using compromised
machines is always a threat. But the point is, one has to be trusted to
compromise the machine.
Next topic???
Have fun,
Greg-----Original Message-----
From: xxxxx@lists.osr.com
[mailto:xxxxx@lists.osr.com]On Behalf Of PeterB
Sent: Monday, April 22, 2002 8:49 AM
To: NT Developers Interest List
Subject: [ntdev] RE:I want to retrieve Username ,Password ,Domain text
from GINA system.On Mon, 22 Apr 2002, Gregory G. Dyess wrote:
> Nice, if you say it fast enough. Impossible in real world.
Claptrap. It’s a simple enough restriction – if you let people
compromise machines, to retain the integrity of your credentials, you
mustn’t use the compromised machines. This is just good practice. This
is true of pretty much any OS, too.> Admins must be
> able to log into any machine in the domain simply because Microsoft failed
> to provide reasonable remote CLI support in NT.
That would suffer the same problem. The remote CLI would still be
running a process on_the_compromised_machine, and hence would still be
able to grab passwords and such.The same rule – don’t run processes on compromised machines – holds
true.–
Peter xxxxx@inkvine.fluff.org
http://www.inkvine.fluff.org/~peter/logic kicks ass:
(1) Horses have an even number of legs.
(2) They have two legs in back and fore legs in front.
(3) This makes a total of six legs, which certainly is an odd number of
legs for a horse.
(4) But the only number that is both odd and even is infinity.
(5) Therefore, horses must have an infinite number of legs.
You are currently subscribed to ntdev as: xxxxx@pdq.net
To unsubscribe send a blank email to %%email.unsub%%
You are currently subscribed to ntdev as: xxxxx@inkvine.fluff.org
To unsubscribe send a blank email to %%email.unsub%%
–
Peter xxxxx@inkvine.fluff.org
http://www.inkvine.fluff.org/~peter/
logic kicks ass:
(1) Horses have an even number of legs.
(2) They have two legs in back and fore legs in front.
(3) This makes a total of six legs, which certainly is an odd number of
legs for a horse.
(4) But the only number that is both odd and even is infinity.
(5) Therefore, horses must have an infinite number of legs.