Tech Support banner

Status
Not open for further replies.
1 - 6 of 6 Posts

·
Registered
Joined
·
1,629 Posts
Discussion Starter #1
Hi all,

At our work we run a WPAD script as a proxy for all users.

There's an Active Directory group that gives restricted internet access to domain accounts by tying a filter in our web filtering product to that AD group.

I have an issue where one of our IT guys logged onto a Windows XP machine using his domain account. He then switched to the local Administrator account.

He put the URL to the WPAD.dat file in his proxy settings in Internet Explorer. He was then able to access the external internet, but without having to provide a domain account/password after authenticating with the Admin account. So, he logs into a machine using a domain account, while logged in he changes his login to the local Administrator account, then he gets on the internet.

Now, what's strange about this (to me at least) is that we follow standard default-deny practice (if you're not a member of an AD group tied to a filter, you get blocked). The reason he was able to get on the internet was because that restricted internet access group in AD was applied to the local Admin account after he logged into it, thus the web filter allowed him through to the net. This should not be happening, right? A global AD group shouldn't be randomly applied to a local, machine-based account, even if it is Administrator (no local Admin accounts on any machine are members of that group, only domain accounts).

Is this an example of privilege escalation, or am I missing something here?
 

·
Registered
Joined
·
1,629 Posts
Discussion Starter #3
Thanks, Jack. That link doesn't really help me with this issue, though. I can't figure out why/how he got a global AD group applied to a local account without any domain admin actually placing that account in it. Mystery to me so far!
 

·
Registered
Joined
·
40,765 Posts
Once you log off of the Domain and log in as the Local Built in Administrator you are no longer under Domain Policy. You can set up a Group Policy in gpedit to restrict local admins from accessing the internet on that machine. Or restrict their IP address from accessing the internet.
 

·
Registered
Joined
·
1,629 Posts
Discussion Starter #5
Hi spunk.funk....

That makes sense to me in theory. So you're saying the Group Policy probably isn't set up to restrict local admin accounts from access to the internet - so even though we have an auto-config script in place, maybe for the admin accounts that doesn't apply?
 

·
Registered
Joined
·
40,765 Posts
If the script is running on the Domain Controller, and not the local machine, then it won't take effect when the user logs out of the domain. You can either set up a Group Policy on the local machine, or run the script from the local machine. but it sounds like your IT guy knows how to get around whatever you do. Or change the Local Built In Administrators password, so they can't access it.
 
1 - 6 of 6 Posts
Status
Not open for further replies.
Top