Re: AW: Security issue in Windows 2000?
From: Birl (sbirl_at_temple.edu)
Date: 07/07/03
- Previous message: Meritt James: "Re: Secure Media Destruction"
- In reply to: hong li: "Re: AW: Security issue in Windows 2000?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 7 Jul 2003 11:36:37 -0400 (EDT) To: security-basics@securityfocus.com
hong_li: Date: Thu, 3 Jul 2003 08:23:07 -0700 (PDT)
hong_li: From: hong li <hong_li_98@yahoo.com>
hong_li: To: Meidinger Chris <chris.meidinger@badenit.de>,
hong_li: security-basics@securityfocus.com
hong_li: Subject: Re: AW: Security issue in Windows 2000?
hong_li:
hong_li: Thanks for the answer.
hong_li:
hong_li: If you move
hong_li: > your domain to native
hong_li: > mode and implement Kerberos authentication (list -
hong_li: > correct me if i am wrong)
hong_li: > you should get rid of this problem.
hong_li:
hong_li: No. We are in native mode and it's still same
hong_li: problem.
hong_li:
hong_li: If the user can guess the domain administrator
hong_li: password, the user can do any damage to the domain
hong_li: controller even without logging into domain? I think
hong_li: it's very dangerous.
hong_li:
hong_li: Except setting very difficult password for domain
hong_li: controller and all servers's administrator account,
hong_li: what else can we do to prevent users accesing the
hong_li: domain controller or servers even without logging into
hong_li: domain?
hong_li:
hong_li: Thanks,
hong_li:
hong_li: Hong
hong_li:
hong_li:
hong_li:
hong_li:
hong_li:
hong_li: --- Meidinger Chris <chris.meidinger@badenit.de>
hong_li: wrote:
hong_li: > Hello Hong,
hong_li: >
hong_li: > this DOES happen on Windows NT. This is a 'feature'
hong_li: > of NTLM Authentication.
hong_li: > You can, in fact, set your local administrator
hong_li: > password to the same thing as
hong_li: > the domain administrator and have domain admin
hong_li: > priveliges everywhere.
hong_li: >
hong_li: > Anyway, it's not a bug, but a feature. If you move
hong_li: > your domain to native
hong_li: > mode and implement Kerberos authentication (list -
hong_li: > correct me if i am wrong)
hong_li: > you should get rid of this problem.
hong_li: >
hong_li: > badenIT GmbH
hong_li: > System Support
hong_li: >
hong_li: > Chris Meidinger
hong_li: > Tullastrasse 70
hong_li: > 79108 Freiburg
hong_li: >
hong_li: >
hong_li: > -----Ursprüngliche Nachricht-----
hong_li: > Von: hong li [mailto:hong_li_98@yahoo.com]
hong_li: > Gesendet: Wednesday, July 02, 2003 4:35 PM
hong_li: > An: security-basics@securityfocus.com
hong_li: > Betreff: Security issue in Windows 2000?
hong_li: >
hong_li: >
hong_li: > If you use the same password for the local
hong_li: > administrator on workstations
hong_li: > as all other servers's local administrator, (even
hong_li: > domain administrator),the local administrator can
hong_li: > gain
hong_li: > full access to any servers without asking
hong_li: > domain info if you logon locally using local
hong_li: > administrator account. You even can map to
hong_li: > \\servername\c$ whihout asking any domain users
hong_li: > info.
hong_li: >
hong_li: > I recalled this never happenes in NT environment and
hong_li: > it always pops you doamin userinfo when you access
hong_li: > any
hong_li: > server in the doamin if you log on locally.
hong_li: >
hong_li: > Is this the security hole in Windows 2000
hong_li: > environment
hong_li: > or something else?
hong_li: >
hong_li: > Thanks in advance,
hong_li: >
hong_li: > Hong
Take a look at this file I maintain (as time permits)
http://concept.temple.edu/sysadmin/installers/NT-2000-XP/Bastion/Manditory.ini
(It's a smaller version of what I use to secure Windows servers).
It can disable network shares and other resources that arent needed.
Thanks
Scott Birl http://concept.temple.edu/sysadmin/
Senior Systems Administrator Computer Services Temple University
====*====*====*====*====*====*====*====+====*====*====*====*====*====*====*====*
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
- Previous message: Meritt James: "Re: Secure Media Destruction"
- In reply to: hong li: "Re: AW: Security issue in Windows 2000?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
