Guest account always has a RID of 501 and a domain user can construct
the other parts of the SID fairly easily using user2sid. Then, sid2user
translates back to the fake name you have created.

Is it possible to delete the Guest object through adsi.exe?

-matthew Priestley
mpriestmicrosoft.com

Phone: 425-703-9478
Pager: 866-776-9851

-----Original Message-----
From: Michael Ward [mailto:Mwardroseglen.com]
Sent: Monday, December 03, 2001 12:35 PM
To: Matt Priestley; Focus on Microsoft Mailing List
Subject: RE: AD access

How about if you disabled the Guest account and changed its name through
policy?

-----Original Message-----
From: Matt Priestley [mailto:mpriestmicrosoft.com]
Sent: Monday, December 03, 2001 2:25 PM
To: Focus on Microsoft Mailing List
Subject: RE: AD access

It's sometimes useful to delete the Guest account because it helps
prevent an information leak regarding the system's password lockout
parameters.

There is a difference between a disabled account and an account that has
been locked out. When an account is locked out, NT will not even check
whether the supplied password was correct - it will just fail. When an
account is disabled, NT does check the password, but even in the case of
success it won't let the user in. More importantly perhaps, the two
states have different error messages.
 
Although Guest is disabled by default it still validates logon attempts
against the registered Guest password and notes internally if the logon
attempt failed. If an attacker wishes to know the lockout thresholds for
a system, s/he could experiment with the Guest account until the system
reported that the user had exceeded the lockout threshold. The attacker
would then have some information about the tolerances of the system and
set his/her password cracking scripts accordingly.

A pretty minor threat though overall.

-matthew Priestley
mpriestmicrosoft.com

Phone: 425-703-9478
Pager: 866-776-9851

-----Original Message-----
From: Laura A. Robinson [mailto:larobinsbellatlantic.net]
Sent: Friday, November 30, 2001 3:16 PM
To: Robert Rota; Focus on Microsoft Mailing List
Subject: Re: AD access

Why are you trying to delete the guest account, specifically?

Aside from that, if you boot into directory services restore mode on a
DC,
AD is not initialized and you can manipulate it with utilities like
NTDSUTIL.

Laura
----- Original Message -----
From: "Robert Rota" <robert.a.rotasaic.com>
To: <focus-mssecurityfocus.com>
Sent: Friday, November 30, 2001 10:29 AM
Subject: AD access

>
>
> Quick question that I would like anyone to answer..
> Do you know of a utility that will access Active
> Directory in the LocalSystem Context? I would like to
> be able to delete the Guest account after I have
> promoted the server. As you know, accounts are then
> stored in ntds.dit. For some reason I cannot
> manipulate the name spaces the way I could the
> registry. Do you know of a tool that can modify these
> fields and that will run with system privilege? I have
> opened the adsi edit utility with LocalSystem privilege
> and still not been able to delete the Guest account.
> Any incite that you may have into this process would
> be appreciated. Also, do you know of a tool that can
> manipulate Active Directory if it is not loaded into
> memory? For instance, say I boot the DC with a
> floppy and mount the FS. Now I have bypassed ACLs
> and I want to edit ntds.dit? I assume the ADSI may be
> programmed to do this but I am skepticle about the
> ACL?
>
> Again, any incite would be greatly appreciated....
>
> Thanks,
>
> Rob

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]