D/EU:Users with Local Administrator Rights as a Danger for Company's Data Protection

In many businesses, users can log on to their computer with local administrator privileges. The difference between normal users and domain administrators is that domain administrators are given rights at domain level, whereas local administrators are only given rights on their own system. However, with the help of some freely-available tools, it is possible for local administrators to obtain access to resources that are actually reserved for domain administrators.

This can be done with what is known as a "pass-the-hash" attack. The following example illustrates how such an attack works

User A has local administrator privileges on his computer, Client X.

At some point, Domain Administrator B logged on to Client X locally for routine maintenance and then logged off again afterward.

Now the credentials, including the domain administrator's password, are stored on Client X in hashed form. It would take considerable and unreasonable effort to crack this password. The possibility of a single sign-on in Windows domains, however, allows the attacker to work around this decryption; instead of using the domain administrator's password, an attacker can use freely-available tools to send the corresponding password hash.

In this example, all that is needed to obtain the hash of the domain administrator's password is local administrator privileges.

This vulnerability makes it possible for users with local administrator privileges to access the company's sensitive information, thus compromising the security of this information altogether.

In order to prevent the problem of data loss or manipulation by these method, it is advisable that -- whenever possible -- all users be granted limited access privileges rather than local administrator privileges. It is also makes sense to store the "domain administrator's password hash" only temporarily and to then automatically delete the hash.

The following article by Bashar Ewaida -- "Pass-the-hash Attacks: Tools and Mitigation" at www.sans.org -- offers further information, including ways to prevent pass-the-hash attacks.