This one is one of my recurrant rants, so I thought I'd post it while I think about it....
Why do large corporations, spend loads of money securing their perimiter, a fair quantity on their core line of business servers and very little securing corporate desktops...
If someone can compromise a desktop PC, they can get all the rest of the access they need very easily, they can also easily compromise your core servers...
Here's one scenario of many.
1st step - Get local administrator rights on a corporate PC running windows. Easily done by booting off a CD grabbing the SAM file and cracking the password. In most networks I've seen the local admin password is the same on all the PC's
2nd step - find out the IP address or machine name of an admin level persons desktop. shouldn't be too hard if you are in the same building, if you're not something like an HTML e-mail with a web-bug in it would do the trick.....
3rd step - connect to their PC using the local administrator account and install a keylogger.
4th step - grab all the passwords as they type them! if you're feeling fancy, install a remote control program on their workstation then log on to their machine as them and connect to the servers they administer. At that point it would be very hard for mechanisms like IDS to know that you're not the administrator of the system.....
How do you mitigate this?
One way would be to deploy 2-factor authentication for all your admins. If you use RSA tokens or some other form of one-time password, it would cut back on the window of opportunity.
Another option would be to put desktop firewalls on all admin (or potentiallly all) PC's and configure a reasonable ruleset on them which only allows inbound connections from specific subnets, as required to maintain the system.
Another option (only applicable to this particular attack) would be to specify different local administrator passwors for each PC (might be a bit hard to administer though)
