('binary' encoding is not supported, stored as-is) Hello everybody, Here is a couple of my observations on Windows 2000/XP LocalSystem account. Originally (NT4) the paradigm of this account was declared by MS as the following: 1. This account doesn't require athentication on the local computer. 2. It has unlimited rights on the local computer. 3. No network resources can be accessed using this account. Now, that's what we see in Windows 2000: 1. LocalSystem is still the main account under which the most of system services run. 2. LocalSystem has unlimited privileges on Active Directory objects. It is true for all of the partitions located in the AD database. So, any process running under LocalSystem on any of domain controllers can easily crash the whole forest just by erasing Schema or Configuration objects. And that becomes not funny, you need to control every single backup operator as well as patch thoroughly every single buffer overflow vulnerabilities in system services and apps. 3. Here is another surprise coming. Now the LocalSystem account is able to access other computer's shared resources. Basically, its rights are equal to ones of "Users" or "Domain Users". So you don`t need to be authenticated by domain at all to access domain resources shared for "Users" only. Has anything changed in Microsoft's vision of the System account? What are documented security features of this account? Thanks
This archive was generated by hypermail 2b30 : Fri Apr 04 2003 - 14:19:15 PST