[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Insufficient Authentication vulnerability in Asus notebook
On 2009-05-14 nameless wrote:
> Steve Quan wrote:
>> Is there something like su/sudo in the Windows world ? How do windows
>> administrators handle this (ie accountability) ?
> There is "runas".
Indeed. There's also a variety of third-party tools like SuperiorSU .
> There is no accountability with the local admin account. You can
> disable the account and use domain credentials, but when the domain
> isn't available, you're screwed, so it is a poor decision.
I wouldn't agree entirely. It depends on who is given the password for
the local administrator account. You only have no accountability if more
than one person knows that password.
> In regards to changing the Admin account name, why make it easy for
> the kiddiots? It is trivial for any of us to bypass this, right?
Please elaborate. What attack scenarios do you see that aren't mitigated
by a strong password? Besides, even if you change the login name, the
SID of the account (which is well-known) still remains the same.
> Changing the Administrator name is just another layer in the onion of
> your defensive strategy.
I entirely fail to see what additional security that will gain you, so
> And I'm not trying to be a smart ass, but does anyone really use
> LM-hashes anymore?
I don't believe they're actually used by anyone anymore. However, the
use of LM-hashes is still enabled by default on any XP.
"The Mac OS X kernel should never panic because, when it does, it
seriously inconveniences the user."