Fun with cached credentials!
From: Firstname Lastname (Todd_Thomas_at_DOH.STATE.FL.US)
Date: 12/03/04
- Previous message: Russ Cooper: "Alert: Microsoft Security Bulletin MS04-040 - Cumulative Security Update for Internet Explorer (889293)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 3 Dec 2004 15:01:57 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
One of the security settings on a Windows 2003 box is - Interactive
logon: Number of previous logons to cache
I was testing this feature and discovered something that might be
disturbing to some who are not already aware of it. By default, this
setting is set to 10, so Windows 2003 will remember 10 sets of logon
credentials. Some people confuse these credentials with the user
profiles, but the two do not appear to be synonymous. Some
experimentation has revealed what I think is a big problem with this
"feature". Namely, that in an Active Directory setting, users that are
deleted, or locked in AD can still logon using these cached credentials
if the system cannot communicate with the Domain Controllers.
Worse, they continue to be able to logon even if you delete or remove
their profiles. The credentials are stored somewhere else (probably the
registry). Thus, unless you take some other remediation deleted Active
Directory accounts can still logon to systems that are disconnected from
the Domain FOREVER. Even if you have a password policy that expires
passwords, that only appears to be enforced if the Domain Controller can
be contacted. I had no trouble disconnecting the machine and logging in
with a username long deleted and a password long expired.
One fix that I found was to change the default setting of the above
security setting to zero. That seems to cause all previously cached
credentials to be purged from the system. It also prevents ANYONE from
logging into the system with a Domain account if the system is not
actually attached to the domain. This could be a VERY big problem for
laptop users who do not use local accounts. However, I think this
setting should be set to zero on any and all servers in an Active
Directory environment.
Comments, opinions and further testing results are welcome.
Todd Thomas
Disaster Preparedness Consultant
-- Editor's Note: The 43rd Most Powerful Person in Networking says... Register today to take the TruSecure ICSA exam by 12/31/04 at <http://www.2test.com> , use promo code "CT1204" and you will pay just $221.25 US Dollars for domestic exam delivery and $296.25 US Dollars for international delivery. Visit <https://ticsa.trusecure.com> for complete details regarding the TICSA credential and to take the free sample exam. --
- Previous message: Russ Cooper: "Alert: Microsoft Security Bulletin MS04-040 - Cumulative Security Update for Internet Explorer (889293)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
