> ----------
From: xxxxx@inkvine.fluff.org[SMTP:xxxxx@inkvine.fluff.org]
Reply To: xxxxx@lists.osr.com
Sent: Monday, April 22, 2002 4:16 PM
To: xxxxx@lists.osr.com
Subject: [ntdev] RE:I want to retrieve Username ,Password ,Domain
text from GINA system.On Mon, 22 Apr 2002, Gregory G. Dyess wrote:
> Bullshit. Domain admins must be able to log into any machine in the
domain
> with privs to fix local problems.
That doesn’t mean they need to use a sensitive account; all they need is
local Admin access.
Sometimes there are problems with network which should be solved. Local
admin may not be sufficient.
Whatever the OS, whatever its security evaluation, you must never enter
your credentials into a compromised machine. It’s that simple. It’s true
in VMS. It’s true in NT. It’s true in *nix. Once a machine is
compromised, it’s not safe to use.
Sure. How do you distinguish compromised machine?
No-one’s saying it’s not a threat. It is a threat – using compromised
machines is always a threat. But the point is, one has to be trusted to
compromise the machine.
Unfortunately, it isn’t right at least for NT. All what is necessary is an
ability to boot from diskette or CD and you can replace local admin password
or copy SAM and crack it (if there is no diskette or CD, you can attach HD
to a laptop…). I’m not saying it is easy but if you have physical access
to the machine, you can compromise it.
Conclusion: any machine where non-trusted persons have access is potentially
compromised and you must never enter your password there.
Best regards,
Michal Vodicka
STMicroelectronics Design and Application s.r.o.
[michal.vodicka@st.com, http:://www.st.com]