RE: AW: Security issue in Windows 2000?
From: dave klimen (dave_at_netmedic.net)
Date: 07/05/03
- Previous message: Sanjay Arora: "Re: Getting an IP address from a MAC address"
- In reply to: hong li: "Re: AW: Security issue in Windows 2000?"
- Next in thread: Birl: "Re: AW: Security issue in Windows 2000?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "'hong li'" <hong_li_98@yahoo.com>, "'Meidinger Chris'" <chris.meidinger@badenit.de>, <security-basics@securityfocus.com> Date: Sat, 5 Jul 2003 06:17:36 -0400
Change the local administrator name on the workstations i.e. local_admin
should solve the problem. If you want to prevent other local server
accounts from doing the same thing you rename the admin to something like
"computername_admin" then every individual workstation and server has a
unique admin name. If the admin on the local box is called "admin" and on
the domain called "admin" if the passwords are the same they are going to
have the credentials of the domain "admin".
_____________________
Dave Kleiman
dave@netmedic.net
www.netmedic.net
"High achievement always takes place in the framework of high expectation."
Jack Kinder
-----Original Message-----
From: hong li [mailto:hong_li_98@yahoo.com]
Sent: Thursday, July 03, 2003 11:23
To: Meidinger Chris; security-basics@securityfocus.com
Subject: Re: AW: Security issue in Windows 2000?
Thanks for the answer.
If you move
> your domain to native
> mode and implement Kerberos authentication (list -
> correct me if i am wrong)
> you should get rid of this problem.
No. We are in native mode and it's still same
problem.
If the user can guess the domain administrator
password, the user can do any damage to the domain
controller even without logging into domain? I think
it's very dangerous.
Except setting very difficult password for domain
controller and all servers's administrator account,
what else can we do to prevent users accesing the
domain controller or servers even without logging into
domain?
Thanks,
Hong
--- Meidinger Chris <chris.meidinger@badenit.de>
wrote:
> Hello Hong,
>
> this DOES happen on Windows NT. This is a 'feature'
> of NTLM Authentication.
> You can, in fact, set your local administrator
> password to the same thing as
> the domain administrator and have domain admin
> priveliges everywhere.
>
> Anyway, it's not a bug, but a feature. If you move
> your domain to native
> mode and implement Kerberos authentication (list -
> correct me if i am wrong)
> you should get rid of this problem.
>
> badenIT GmbH
> System Support
>
> Chris Meidinger
> Tullastrasse 70
> 79108 Freiburg
>
>
> -----Ursprüngliche Nachricht-----
> Von: hong li [mailto:hong_li_98@yahoo.com]
> Gesendet: Wednesday, July 02, 2003 4:35 PM
> An: security-basics@securityfocus.com
> Betreff: Security issue in Windows 2000?
>
>
> If you use the same password for the local
> administrator on workstations
> as all other servers's local administrator, (even
> domain administrator),the local administrator can
> gain
> full access to any servers without asking
> domain info if you logon locally using local
> administrator account. You even can map to
> \\servername\c$ whihout asking any domain users
> info.
>
> I recalled this never happenes in NT environment and
> it always pops you doamin userinfo when you access
> any
> server in the doamin if you log on locally.
>
> Is this the security hole in Windows 2000
> environment
> or something else?
>
> Thanks in advance,
>
> Hong
>
>
> __________________________________
> Do you Yahoo!?
> SBC Yahoo! DSL - Now only $29.95 per month!
> http://sbc.yahoo.com
>
>
---------------------------------------------------------------------------
> Evaluating SSL VPNs' Consider NEOTERIS, chosen as
> leader by top analysts!
> The Gartner Group just put Neoteris in the top of
> its Magic Quadrant,
> while InStat has confirmed Neoteris as the leader in
> marketshare.
>
> Find out why, and see how you can get plug-n-play
> secure remote access in
> about an hour, with no client, server changes, or
> ongoing maintenance.
>
> Visit us at:
> http://www.neoteris.com/promos/sf-6-9.htm
>
----------------------------------------------------------------------------
__________________________________
Do you Yahoo!?
SBC Yahoo! DSL - Now only $29.95 per month!
http://sbc.yahoo.com
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
- Previous message: Sanjay Arora: "Re: Getting an IP address from a MAC address"
- In reply to: hong li: "Re: AW: Security issue in Windows 2000?"
- Next in thread: Birl: "Re: AW: Security issue in Windows 2000?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
