RE: VPN

From: Strand, John (John.Strand_at_mms.gov)
Date: 07/21/04

  • Next message: Tom Burns: "RE: VPN" 
    To: 'Tom Burns' <tburns@torcausa.com>, focus-ms@securityfocus.com
Date: Wed, 21 Jul 2004 10:35:39 -0600

    Hi Tom,

    Is your VPN gateway using machines certificates to authenticate??

    Could you provide some more info as to what VPN you are using?

    A quick step you could try to see how "bad" the situation is is that you
    could try and access the domain through your VPN with a machine that has not
    been added to the domain. I hope it fails.

    Hope this helps.

    John

    -----Original Message-----
    From: Tom Burns [mailto:tburns@torcausa.com]
    Sent: Wednesday, July 21, 2004 7:56 AM
    To: focus-ms@securityfocus.com
    Subject: VPN

    Please excuse me if I'm an idiot here, and am missing something obvious.

    If anyone knows a misconfiguration that would cause this- please let me
    know.

    Possible security issue in VPN.

    1. Joined a computer to my domain.
    2. Log on as user who is going to use VPN
    3. Setup VPN connection
    4. open VPN to connect
    5. leave ALL blocks blank- username/password/domain
    6. Click OK

    And presto- in my domain the user can get in.

    Is this because the computer has been joined to the domain and the
    credentials are cached?

    Tom

    This would seem to be a low level security issue due to the fact that:

    1. The computer has been joined to the domain
    2. The user who has permission to VPN must have there username and
    password entered to get into the computer.
    3. If system was compromised/stolen they would still need the username
    and password to get in.

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Tom Burns: "RE: VPN"

    Relevant Pages

    • Re: VPN on XP home?
      ... DOMAIN\USERNAME for the username to specify the domain ... >I believe that 3.51 is the latest version of the VPN ... client software. ... >authenticate without having the computer join the domain? ...
      (microsoft.public.windowsxp.security_admin)
    • Certificate VPN
      ... Certificates to authenticate our vpn. ... I finally got the certificate ... If I allow it and put in the username and password ...
      (microsoft.public.pocketpc.wireless)
    • Re: [Full-disclosure] Juniper Netscreen VPN Username Enumeration Vulnerability
      ... mode puts the IKE id in *clear text* in the first message. ... > Juniper Netscreen VPN Username Enumeration Vulnerability ... the attacker can then use this to obtain a hash from the ...
      (Full-Disclosure)
    • Re: VPN 3005 to IAS authentication failure...
      ... Call it something like "VPN Users" or similar. ... install IAS using the Add/Remove Programs icon in Control Panel. ... we can now configure the PIX firewall as a RADIUS client. ... Any user that should be allowed to authenticate on a VPN connection will ...
      (comp.dcom.sys.cisco)
    • Re: Cached credentials and password expiration
      ... I believe that when the machine account is hosed ... > access to a domain controller during the logon process. ... > are connected to the VPN on a very regular basis, ... Doesn't it authenticate the user through AD? ...
      (microsoft.public.windows.server.active_directory)
    • Quantcast