{"id":43373,"date":"2014-12-17T07:00:00","date_gmt":"2014-12-17T07:00:00","guid":{"rendered":"https:\/\/blogs.msdn.microsoft.com\/oldnewthing\/2014\/12\/17\/it-rather-involved-being-on-the-other-side-of-this-airtight-hatchway-account-vulnerable-to-active-directory-administrator\/"},"modified":"2014-12-17T07:00:00","modified_gmt":"2014-12-17T07:00:00","slug":"it-rather-involved-being-on-the-other-side-of-this-airtight-hatchway-account-vulnerable-to-active-directory-administrator","status":"publish","type":"post","link":"https:\/\/devblogs.microsoft.com\/oldnewthing\/20141217-00\/?p=43373","title":{"rendered":"It rather involved being on the other side of this airtight hatchway: Account vulnerable to Active Directory administrator"},"content":{"rendered":"<p>A security vulnerability report came in that went something like this:<\/p>\n<blockquote class=\"q\"><p>  <b>Disclosure of arbitrary data from any user<\/b> <\/p>\n<p> An attacker can obtain arbitrary data from any user by means of the following steps: <\/p>\n<ol>\n<li>Obtain administrative access on the domain controller. <\/li>\n<li>Stop the XYZZY service. <\/li>\n<li>Edit the XYZZY.DAT file in a hex editor     and changes the bytes starting     at offset 0x4242 as follows: <\/li>\n<li>&#8230; <\/li>\n<\/ol>\n<\/blockquote>\n<p> There&#8217;s no point continuing, because the first step assumes that you are on the other side of the airtight hatchway. If you have compromised the domain controller, then you control the domain. From there, all the remaining steps are just <a href=\"http:\/\/blogs.msdn.com\/b\/oldnewthing\/archive\/2009\/04\/09\/9539191.aspx\"> piling on style points and cranking up the degree of difficulty<\/a>.\n A much less roundabout attack is as follows:<\/p>\n<blockquote class=\"q\">\n<ol>\n<li>Obtain administrative access on the domain controller. <\/li>\n<li>Deploy a logon script to all users that     <i>does whatever you want<\/i>. <\/li>\n<li>Wait for the user to log in next, and your script will     DO ANYTHING YOU WANT. <\/li>\n<\/ol>\n<\/blockquote>\n<p> No, wait, I can make it even easier.<\/p>\n<blockquote class=\"q\">\n<ol>\n<li>Obtain administrative access on the domain controller. <\/li>\n<li>Change the victim&#8217;s password. <\/li>\n<li>Log on as that user and DO ANYTHING YOU WANT. <\/li>\n<\/ol>\n<\/blockquote>\n<p> You are the domain administrator. You already pwn the domain. That you can pwn a domain that you pwn is really not much of a surprise.<\/p>\n<p> This is why it is important to choose your domain administrators carefully. <\/p>\n","protected":false},"excerpt":{"rendered":"<p>A security vulnerability report came in that went something like this: Disclosure of arbitrary data from any user An attacker can obtain arbitrary data from any user by means of the following steps: Obtain administrative access on the domain controller. Stop the XYZZY service. Edit the XYZZY.DAT file in a hex editor and changes the [&hellip;]<\/p>\n","protected":false},"author":1069,"featured_media":111744,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[1],"tags":[26],"class_list":["post-43373","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-oldnewthing","tag-other"],"acf":[],"blog_post_summary":"<p>A security vulnerability report came in that went something like this: Disclosure of arbitrary data from any user An attacker can obtain arbitrary data from any user by means of the following steps: Obtain administrative access on the domain controller. Stop the XYZZY service. Edit the XYZZY.DAT file in a hex editor and changes the [&hellip;]<\/p>\n","_links":{"self":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/43373","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/users\/1069"}],"replies":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/comments?post=43373"}],"version-history":[{"count":0,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/posts\/43373\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media\/111744"}],"wp:attachment":[{"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/media?parent=43373"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/categories?post=43373"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/devblogs.microsoft.com\/oldnewthing\/wp-json\/wp\/v2\/tags?post=43373"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}