Understanding NT Authority\System rights
francis at gonzaga.edu
Wed Sep 3 22:39:22 GMT 2003
There have been some concerns with some of our IT staff about the level of
access that can be obtained by a worm that has exploited the RPC
My understanding of this is that whatever is executed is run as "NT
Authority\System", a local account that has high-level rights on the local
system but limited rights within the domain. Another understanding I have
is that even if this is a DC, the "NT Authority\System" account is still a
local account, not a domain account.
I have some questions based upon this:
1) What rights does NT Authority\System have within the domain that might
allow it to further attack the domain (beyond enumeration)?
2) Is there anything that NT Authority\System can't do on the local
3) Can it run code as the user that is currently logged on?
(I'm assuming that if it replaced a file that the user then executed,
that would do it, but what about hijacking the user's credentials
while they are logged into the domain?)
>From my understanding, if a system was compromised and unknown code was
execuated as "NT Authority\System", we should no longer trust the system
and it should be rebuilt. It doesn't seem to me that that would compromise
the integrity of the domain security unless the machine exploited was a DC
or a privileged user logged into an injected computer and executed
I just haven't seen any discussion about this and I have some concerns.
Greg Francis Gonzaga University
Sr. System Administrator Spokane Washington
francis at gonzaga.edu 509-323-6896
More information about the unisog