Default domain permissions on who can join a workstation to the domain
From: Constantino Tobio (ctobio_at_GMAIL.COM)
Date: 03/10/05
- Previous message: Dragos Ruiu: "Security Masters Dojo"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 10 Mar 2005 11:06:44 -0500 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Apologies if this was obvious to anyone but me, but I stumbled upon the
following while researching a problem:
Apparently, the default behavior in a Windows 2000 and 2003 Active
Directory is that any authenticated user has the ability to join
computers to the domain up to 10 times. Upgrading your domain from NT
4.0 to 2000 actually seems to open up a security attribute, rather than
lock it down further. Why this isn't made a bit more obvious is beyond
me. I've been doing this gig for 10 years (well, Win2k for 5 obviously)
and I've never heard this mentioned anywhere, even among my peers and
colleagues, or at the many conferences I've attended over the years.
-- NTBugtraq Editor's Note: Most viruses these days use spoofed email addresses. As such, using an Anti-Virus product which automatically notifies the perceived sender of a message it believes is infected may well cause more harm than good. Someone who did not actually send you a virus may receive the notification and scramble their support staff to find an infection which never existed in the first place. Suggest such notifications be disabled by whomever is responsible for your AV, or at least that the idea is considered. --
- Previous message: Dragos Ruiu: "Security Masters Dojo"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
