OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Robert Rota (robert.a.rotasaic.com)
Date: Mon Dec 03 2001 - 09:02:02 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    ('binary' encoding is not supported, stored as-is) In-Reply-To: <D524A0BD0DE5FF4E951B6EC5F919FD7A0437C38Cred-msg-01.redmond.corp.microsoft.com>

    Thank you Matthew for the insight.
    I see you are from MS so can you tell me how I delete
    the guest account from active directory?

    rob



    >Received: (qmail 16449 invoked from network); 3
    Dec 2001 20:33:11 -0000
    >Received: from outgoing3.securityfocus.com
    (HELO outgoing.securityfocus.com) (66.38.151.27)
    > by mail.securityfocus.com with SMTP; 3 Dec 2001
    20:33:11 -0000
    >Received: from lists.securityfocus.com
    (lists.securityfocus.com [66.38.151.19])
    > by outgoing.securityfocus.com (Postfix)
    with QMQP
    > id 70C46A30DA; Mon, 3 Dec 2001
    13:15:36 -0700 (MST)
    >Mailing-List: contact focus-ms-
    helpsecurityfocus.com; run by ezmlm
    >Precedence: bulk
    >List-Id: <focus-ms.list-id.securityfocus.com>
    >List-Post: <mailto:focus-mssecurityfocus.com>
    >List-Help: <mailto:focus-ms-
    helpsecurityfocus.com>
    >List-Unsubscribe: <mailto:focus-ms-
    unsubscribesecurityfocus.com>
    >List-Subscribe: <mailto:focus-ms-
    subscribesecurityfocus.com>
    >Delivered-To: mailing list focus-
    mssecurityfocus.com
    >Delivered-To: moderator for focus-
    mssecurityfocus.com
    >Received: (qmail 25569 invoked from network); 3
    Dec 2001 19:25:01 -0000
    >X-MimeOLE: Produced By Microsoft Exchange
    V6.0.5762.3
    >Content-Class: urn:content-classes:message
    >MIME-Version: 1.0
    >Content-Type: text/plain;
    > charset="us-ascii"
    >Content-Transfer-Encoding: quoted-printable
    >Subject: RE: AD access
    >Date: Mon, 3 Dec 2001 11:25:12 -0800
    >Message-ID:
    <D524A0BD0DE5FF4E951B6EC5F919FD7A0437C3
    8Cred-msg-01.redmond.corp.microsoft.com>
    >X-MS-Has-Attach:
    >X-MS-TNEF-Correlator:
    >Thread-Topic: AD access
    >thread-index:
    AcF8FG52rj/F5goTQ8ypBjKAXrEFDwAGu1Kw
    >From: "Matt Priestley" <mpriestmicrosoft.com>
    >To: "Focus on Microsoft Mailing List" <FOCUS-
    MSSECURITYFOCUS.COM>
    >X-OriginalArrivalTime: 03 Dec 2001 19:25:13.0516
    (UTC) FILETIME=[3B1DAEC0:01C17C30]
    >
    >It's sometimes useful to delete the Guest account
    because it helps
    >prevent an information leak regarding the system's
    password lockout
    >parameters.=20
    >
    >There is a difference between a disabled account
    and an account that has
    >been locked out. When an account is locked out, NT
    will not even check
    >whether the supplied password was correct - it will
    just fail. When an
    >account is disabled, NT does check the password,
    but even in the case of
    >success it won't let the user in. More importantly
    perhaps, the two
    >states have different error messages.
    >=20
    >Although Guest is disabled by default it still validates
    logon attempts
    >against the registered Guest password and notes
    internally if the logon
    >attempt failed. If an attacker wishes to know the
    lockout thresholds for
    >a system, s/he could experiment with the Guest
    account until the system
    >reported that the user had exceeded the lockout
    threshold. The attacker
    >would then have some information about the
    tolerances of the system and
    >set his/her password cracking scripts accordingly.
    >
    >A pretty minor threat though overall.
    >
    >-matthew Priestley
    >mpriestmicrosoft.com
    >
    >Phone: 425-703-9478
    >Pager: 866-776-9851
    >
    >
    >-----Original Message-----
    >From: Laura A. Robinson
    [mailto:larobinsbellatlantic.net]=20
    >Sent: Friday, November 30, 2001 3:16 PM
    >To: Robert Rota; Focus on Microsoft Mailing List
    >Subject: Re: AD access
    >
    >Why are you trying to delete the guest account,
    specifically?
    >
    >Aside from that, if you boot into directory services
    restore mode on a
    >DC,
    >AD is not initialized and you can manipulate it with
    utilities like
    >NTDSUTIL.
    >
    >Laura
    >----- Original Message -----
    >From: "Robert Rota" <robert.a.rotasaic.com>
    >To: <focus-mssecurityfocus.com>
    >Sent: Friday, November 30, 2001 10:29 AM
    >Subject: AD access
    >
    >
    >>
    >>
    >> Quick question that I would like anyone to answer..
    >> Do you know of a utility that will access Active
    >> Directory in the LocalSystem Context? I would like
    to
    >> be able to delete the Guest account after I have
    >> promoted the server. As you know, accounts are
    then
    >> stored in ntds.dit. For some reason I cannot
    >> manipulate the name spaces the way I could the
    >> registry. Do you know of a tool that can modify
    these
    >> fields and that will run with system privilege? I have
    >> opened the adsi edit utility with LocalSystem
    privilege
    >> and still not been able to delete the Guest account.
    >> Any incite that you may have into this process
    would
    >> be appreciated. Also, do you know of a tool that
    can
    >> manipulate Active Directory if it is not loaded into
    >> memory? For instance, say I boot the DC with a
    >> floppy and mount the FS. Now I have bypassed
    ACLs
    >> and I want to edit ntds.dit? I assume the ADSI
    may be
    >> programmed to do this but I am skepticle about the
    >> ACL?
    >>
    >> Again, any incite would be greatly appreciated....
    >>
    >> Thanks,
    >>
    >> Rob
    >
    >
    >