I've heard local Windows admins can hijack sessions without passwords. How is this possible? What are the best...
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
ways to stop this kind of session hijacking?
An attacker with local Windows admin privileges can remotely hijack a user's session without knowing the user's password.
If the targeted user has been locked out of his workstation, the attacker can access it anyway. This action requires the attacker to have the NT AUTHORITY/SYSTEM authority. He can check this out with the whoami command. A Remote Desktop Protocol must be set up to connect to the victim's machine.
Before session hijacking begins, the attacker goes to the Task Manager's Users tab to view the status of each user's account. Using the Task Manager is easier than executing a few command lines to get the status. The local admin's account is always active. Console is assigned as the session name. If, for example, the targeted user is a bank employee who discontinued his session before leaving for lunch, the attacker would be unable to connect to the employee's workstation.
After viewing the Task Manager, the attacker brings up the Command Prompt window. The attacker executes one command line to complete the session hijacking. Arguments (parameters or options) for the PsExec command are changed maliciously. The victim's remote session is connected back to the attacker. The attacker returns to the Task Manager. He maliciously gains access to the victim's session. When the victim returns from lunch, he has no way of knowing he was hijacked.
To stop this type of session hijacking, a group policy should be established. This policy should include preventing an unprivileged user from gaining local admin rights. The policy should also prevent the local admin from returning a user's remote session.
Ask the expert:
Want to ask Judith Myerson a question about security? Submit your question now via email. (All questions are anonymous.)
Find out how an HTTPS session gets hijacked with the Forbidden attack
Learn how to prevent cross-site scripting session hijacking
Check out more about web application session management issues and how to avoid a hijacking
Dig Deeper on Emerging cyberattacks and threats
Related Q&A from Judith Myerson
The upcoming Windows update, Redstone 3, will patch the vulnerability that enables EternalBlue exploits. Expert Judith Myerson discusses protection ...continue reading
CrashOverride malware targets industrial control systems and can wreak havoc. Expert Judith Myerson explains the capabilities of the malware and what...continue reading
Using SNMP v3 is a good first step, but it's not enough to prevent attackers from accessing a network through an SNMP-enabled device. Expert Judith ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.