|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Exchange Security and Renaming Users (SIDS)
Subject: Exchange Security and Renaming Users (SIDS)
From: Wendel, Jesse (jwende
PUGET.COM)
Date: Tue Jan 11 2000 - 17:04:29 CST
- Next message: Ussr Labs: "Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP) Server for WinNT Version 1.9x"
- Previous message: Maniac .: "Fwd: Serious bug in MySQL password handling."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Exchange Security and Renaming Users (SIDS) - A Cautionary Tale
> Due to concerns over the size of the SAM in larger organizations, some
> people in my organization suggested that instead of deleting a user
> account, one should rename and disable it. Then, when you need to add a
> user, redefine the groups the user is in, name it appropriately and put
> the new user in play with the old SID. Some time ago my company
> instituted such a policy.
>
> Leaving aside entirely the question of have you eliminated any NTFS
> permissions associated with that SID (if you manage access through groups
> and don't allow exceptions - Ha! - you may actually manage this), there is
> also a potential impact on Exchange security which I discovered today.
>
> Lets say the CEO has a trusted assistant who has been given "user" or
> "send as" permissions on the CEO's mailbox. The trusted assistant leaves
> and his account is renamed to ZZZ101 and disabled. Six months go by. New
> employee Janice Black Hat is hired. Account ZZZ101 is now renamed to
> jbhat and Janice is given the permissions appropriate to her work. One
> day, she decides to see if she can hack the old man's mail. She goes to
> attach the mailbox and, surprise, she gets in. She has the same SID as
> the trusted assistant did and that account still has "user" permissions
> set in Exchange. Now a black hat is logged into Exchange as the user of
> the CEO's mailbox - time to update your resume.
>
> The moral of the story is, when a SID has outlived its life, delete it.
>
> PS. This is not a made up story. Today I found a renamed and disabled
> account with "user" permissions in the Exchange mailbox of a very senior
> executive - just waiting there to be given to some new user. Since I
> found it before the old account was reactivated there was no actual
> breach. Needless to say, we no longer rename SIDS.
>
Jesse Wendel
Lead Exchange Analyst
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net
- Next message: Ussr Labs: "Local / Remote D.o.S Attack in Super Mail Transfer Package (SMTP) Server for WinNT Version 1.9x"
- Previous message: Maniac .: "Fwd: Serious bug in MySQL password handling."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
This archive was generated by hypermail 2b27 : Tue Jan 11 2000 - 17:24:44 CST