Thursday, May 15, 2008

Token Passing with Incognito Part 3

Sorry no screen shots, i didnt think anyone would care that much but I have been able to confirm in my testing (dameware 6) that if you are using dameware in your enterprise for remote management/admin you are leaving tokens laying around on the remote boxes.

Because dameware just gives you a screen on the remote host and you still have to log in, the token lingers until you reboot.

Good to know if you are auditing an organization that uses dameware. Like most things, the real protection is to ensure the auditor/attacker cant get on the box in the first place and for client side attacks that the privilege to leverage the token passing tool is not allowed on user accounts (even admin accounts unless its needed). This is configurable in group policy.

still to-do, Terminal Services and RDP

No comments: