RE: Active Directory password external use

From: Doug Brower (dougb_at_cdh.com)
Date: 08/31/05

Next message: Derick Anderson: "RE: Group Policy: multiple password policies in the same domain?"

Previous message: Laura A. Robinson: "RE: Group Policy: multiple password policies in the same domain?"
Next in thread: Michael Scheidell: "RE: Active Directory password external use"
Maybe reply: Michael Scheidell: "RE: Active Directory password external use"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Wed, 31 Aug 2005 15:35:37 -0400
To: "Manuel Fernandes" <manuelf@mailblocks.com>, <farrenkm@ohsu.edu>, <focus-ms@securityfocus.com>

Just to clarify - My main point was to answer the question and give the
information that this DLL is purposely exposed and published to allow
for plain text password capture at a programming level. My
understanding is the password comes in encrypted and can be decrypted by
this method before being hashed. I only halfway hinted that MIIS or
another approach might be used.

I really appreciate the people who answered more fully that the
architecture should be looked into. I would also normally recommend AD
integration or RADIUS be used in place of writing your own
authentication protocol.

At the risk of entering a security debate, where and how securely you
store these replicated credentials is an issue. The bad guys always go
for the weakest link. Also at issue is that password synch is not
always 100% in replicated systems.

AD, RADIUS, screen scrape technologies, etc - there are probably better
ways to architect the solution. Maybe not, depending on the specifics,
but you should probably take a closer look at these (cheaper, simpler,
more secure) alternatives first...

Doug

Doug Brower
MCSD, MCNE, CLP, MCP
dougb@cdh.com

C/D/H
Technology Consultants
www.cdh.com

616-776-1600 Grand Rapids
248-351-2669 Detroit
616-490-8270 Mobile

-----Original Message-----

From: Manuel Fernandes [mailto:manuelf@mailblocks.com]
Sent: Wednesday, August 31, 2005 2:38 PM
To: farrenkm@ohsu.edu; focus-ms@securityfocus.com
Subject: Re: Active Directory password external use

What agent or daemon will capture this - is it part of an identity
management (IdM) system?

Yes, some IdM agents can capture the password in clearat the DC and
distribute it before it is encrypted.

Without getting specific to a product or technology, most mature
systems have provisions to interact with msgina.dll

-----Original Message-----
From: Matthew Farrenkopf <farrenkm@ohsu.edu>
To: focus-ms@securityfocus.com
Sent: Wed, 31 Aug 2005 08:21:47 -0700
Subject: Re: Active Directory password external use

"Rodrigo Blanco" <rodrigo.blanco.r@gmail.com>:
>I am currently doing a project that requires using the Active
>Directory users' password for other purposes other than just
>workstation logon or share access.
>
>What I would need to do is detect password change / reset events on
>the domain, capture the new password and send it to another
>application. This could be done with an agent or daemon running on the
>DC machine.
>
>The question is, when a users' password is changed / resetted, is it
>possible to externally capture this event and make use of the password
>before it is stored in a non-reversible format inside the active dir.?
>
>What security implications would this have, and what security measures
>would you propose for such an agent?

Seems like a lot of work for a small reward. We have several Web
applications
that authenticate directly against the domain controller. I've never
done it
before, but there's probably someone that has (and I am actively trying
to learn
how to do it).

Why not do that?

Matt

------------------------------------------------------------------------

---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
--------------------------------------------------------
New Consultant: C/D/H is proud to welcome Jason Cooper to our Southfield office! 
He is a CNE, MCSE, CCNA, and CCEA certified consultant. He joins C/D/H with over 10 years of experience.
---------------------------------------------------------------------------
---------------------------------------------------------------------------

Next message: Derick Anderson: "RE: Group Policy: multiple password policies in the same domain?"

Previous message: Laura A. Robinson: "RE: Group Policy: multiple password policies in the same domain?"
Next in thread: Michael Scheidell: "RE: Active Directory password external use"
Maybe reply: Michael Scheidell: "RE: Active Directory password external use"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

Re: Active Directory password external use
... What agent or daemon will capture this - is it part of an identity ... some IdM agents can capture the password in clearat the DC and ...
(Focus-Microsoft)
Re: Qui sest qui qui joue avec mon Outlook Express ?
... >> Lis comme moi tes newsgroupes avec Agent ... >J'ai suivi le lien et j'ai vu une capture! ... mais au moins on fait la nique à Billou. ...
(soc.culture.belgium)
Re: Biden!
... maybe a Hispanic lesbian ... rap performer to capture a bit of the hip vote? ... Obama is the 'agent of change.' ...
(rec.music.gdead)
Re: important problem: losing records in merge replication scenario
... What you are going to need to do is to run a trace on the ... merge agent to capture all activity that it is executing. ... SQL Server MVP ...
(microsoft.public.sqlserver.replication)