It should be pointed out that anyone with local Admin privileges on a box
that has a Domain Account-based service running can easily run l0phtcrack,
or some similar tool, against their own SAM and determine the password of
the service account that way. They can, then, use that account information
to do other things (like not having to use Srvany to launch a service of
their choice).

It reminds me of a story someone once told me of how a machine he had kept
getting compromised by fellow co-workers, they all had the same Backup agent
software using the identical userID on all machines within a domain...;-]
That story is almost 3 years old now.

The technique Tony describes is a little more interesting, but is just
another manifestation of the problems blindly giving Local Admin access
create.

Cheers,
Russ

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]