[38611] in Kerberos
Re: Using ms2mit...risks?
daemon@ATHENA.MIT.EDU (Greg Hudson)
Tue Sep 17 12:28:01 2019
To: John Devitofranceschi <foonon@gmail.com>, <kerberos@mit.edu>
From: Greg Hudson <ghudson@mit.edu>
Message-ID: <5f301310-4d69-ed1d-9c3f-f705783370db@mit.edu>
Date: Tue, 17 Sep 2019 12:27:24 -0400
MIME-Version: 1.0
In-Reply-To: <23833497-2183-42C9-BA10-98A2E337918E@gmail.com>
Content-Language: en-US
Content-Type: text/plain; charset="utf-8"
Errors-To: kerberos-bounces@mit.edu
Content-Transfer-Encoding: 8bit
On 9/17/19 8:31 AM, John Devitofranceschi wrote:
> What are the risks of using ms2mit to create an API: ccache? What are the risks of setting “allowtgtsessionkey” to ‘1’ in the registry (as KfW does)?
My best understanding is that, for a user account with administrator
privileges, a process with access to a TGT can escalate privilege
without a UAC prompt. This risk would apply regardless of whether the
TGT is obtained from the native LSA ccache or if it was stored in an API
or FILE ccache.
________________________________________________
Kerberos mailing list Kerberos@mit.edu
https://mailman.mit.edu/mailman/listinfo/kerberos
