Re: User can login with ANY password
From: Tim Constantine (constt@odjfs.state.oh.us)Date: 03/16/02
- Previous message: Mark Folkart: "Re: Hacker put files in directories I can't look at and I can't delete the files."
- In reply to: Jason Eberly: "Re: User can login with ANY password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: constt@odjfs.state.oh.us (Tim Constantine) Date: 16 Mar 2002 08:12:01 -0800
That's it! Thank you!
After changing the password on the NT Server, and trying to connect I
got a dialog box saying that "The password for this connection that is
in your password list is no longer correct. The person sharing the
resource may have changed it. Type the correct password." The dialog
box also gave me the option of "Save this password in your password
list" - and this option was checked by default.
So... to summerize here:
1) When I setup this user's PC, I forgot to go into the Client for
Microsoft Networks properties - and check the "Log on to Windows
Domain" check box.
2) Sometime, when the user logged on (& unknown to me), they must have
been given the option of "Save this password in your password list" -
and they did.
3) Later, I noticed that the user could enter any password and be
given access to the NT Server, and I started this discussion. Now I
know they were given access because Windows was logging in for them,
behind the scenes, using their password from their password list.
4) I noticed that if I checked the "Log on to Windows Domain" check
box (that I forgot in #1), it would force the user to enter the
correct password to login in to the NT Domain, but it seemed to me
that this check box is easily unchecked, if somebody really wanted to
by-pass this.
5) Changing the password got me on the right track.
In conclusion...
It still bothers me (though not as much) that if somebody wanted to,
they can:
1) Go into Client for Microsoft Networks properties - and uncheck the
"Log on to Windows Domain" check box.
2) Log on again.
3) The system will ask (AND DEFAULT TO) if the user wants to save this
password in their password list.
4) If the user just enters their password and clicks "OK", they just
totally bypassed my NT Server Security for future log ons.
"Jason Eberly" <jason.eberly@NOSPAMTHANXonebox.com> wrote in message news:<nork8.66249$wI3.2588751888@newssvr30.news.prodigy.com>...
> This sounds like mondo bizarre behavior, but since I don't have any ME
> experience, I can only take a guess. Knowing NT and security just a little
> bit, I can't believe that what's happening is exactly what it looks like.
> I have to believe that what's happening is some kind of cached
> credentials. Would it be possible to test this by changing the password on
> the NT account, and then trying to map a drive from the ME machine? Keep in
> mind, the purpose of this test is to ensure that there is *NO WAY* that the
> password could be cached at the ME machine, so you'll have to change the
> password from somewhere else and NOT log in to the ME machine with it.
> I suspect that the ME client is somehow remembering the correct password
> and is presenting it at the appropriate time during a net use. Please let
> us know if that pans out, because if not this has got to be the most bizarre
> thing I've ever heard of...?
>
> - Jason
>
> "Tim Constantine" <constt@odjfs.state.oh.us> wrote in message
> news:39867afb.0203151004.2913668f@posting.google.com...
> > "Andrew Webb" <andrew.webb@removethis.uk.thalesgroup.com> wrote in message
> news:<a67q2u$5ol$1@rdel.co.uk>...
> > > If you want to stop people logging on locally to a workstation, use
> NT/2000
> > > or similar on the workstation. Win 9x and ME are not secure at the
> > > workstation end. If you do not log on to the domain on a Win9x box but
> just
> > > hit cancel, then you won't be able to map drives and stuff unless you
> supply
> > > proper NT credentials.
> > >
> > > Andrew
> >
> > I'm not concerned about people logging on locally to a workstation. I
> > am concerned that once they are logged onto a workstation they are CAN
> > map drives and stuff WITHOUT the proper NT credentials!
> >
> > If I enter the NT/Workstation user name, WITHOUT the proper NT
> > password:
> > - I can still get on the NT server!
> > - My drive mappings still occur!
> > - I still have access to everything I did before!
> >
> > - Tim
> >
> > > "Tim Constantine" <constt@odjfs.state.oh.us> wrote in message
> > > news:39867afb.0203061359.58c8854e@posting.google.com...
> > > > After further checking I notice that if I change the Client for
> > > > Microsoft Networks properties - checking the "Log on to Windows
> > > > Domain" checkbox - then I am forced to use the correct password to
> > > > login to my NT domain. This is easily unchecked, however, if somebody
> > > > really wanted to by-pass this.
> > > >
> > > > I read a lot of usenet discussions about this and they all say that if
> > > > the Windows username matches the NT username, and the passwords match
> > > > - no problem, the person can gain access. If the passwords do not
> > > > match, then the system should be prompting the user for their
> > > > password.
> > > >
> > > > In this case the passwords do not match, yet there is no prompting and
> > > > access is automatically granted.
> > > >
> > > > constt@odjfs.state.oh.us (Tim Constantine) wrote in message
> news:<39867afb.0203060833.7201f57f@posting.google.com>...
> > > > > I have Windows NT setup.
> > > > >
> > > > > I setup a new user.
> > > > >
> > > > > I set the new user's password to never expire.
> > > > >
> > > > > Using that new user's id, you can login to the network with that
> > > > > user's permissions - using ANY password!
> > > > >
> > > > > There doesn't seem to be any password validation going on at all!
> > > > >
> > > > > The client machine has Windows ME on it.
> > > > >
> > > > > The NT user has Guest account disabled.
> > > > >
> > > > > The Guest account is not a member of the group that has access to
> the
> > > > > same stuff this user has access to.
> > > > >
> > > > > Any ideas WHY this user can login with any password?
- Previous message: Mark Folkart: "Re: Hacker put files in directories I can't look at and I can't delete the files."
- In reply to: Jason Eberly: "Re: User can login with ANY password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
