Re: I think I may have found a security oversight.
From: Pete Grazaitis (pjgratz@yahoo.com)Date: 10/21/02
- Next message: Bruce Chambers: "Re: Windows 2000 Permissions and Printers"
- Previous message: QuinnVT: "Windows 2000 Permissions and Printers"
- In reply to: Aaron H: "Re: I think I may have found a security oversight."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: pjgratz@yahoo.com (Pete Grazaitis) Date: 21 Oct 2002 10:46:05 -0700
Unfortunately, what actually happens is very clear to me. However, I
think it is a problem with the design. I would think for resources
associated with a domain part of the authentication should be in
forcing the use of the domain in the authentication process. I dont
know if that can be done, and Im sure a bright person can manipulate
the token to include that. But, the average user who is lazy and
decides not to log into the domain should not be able to circumvent
the domains restrictions (ie policies).
Thanks,
Pete Grazaitis
"Aaron H" <aharrison@DONTBESPAMMINcsilaw.net> wrote in message news:<3daf2b84.0@news.logixcom.net>...
> Pete,
> Couple of things. One, when a computer is a member of the domain,
> and you have UserA on MachineA (member of the domain, Domain) When UserA
> access network resources, they're not accessing it as the local user on that
> computer, they're accessing it as Domain\UserA. Take a look at the *LOCAL*
> users. You may not even see a local user besides Admin, guest, etc. Now
> take NotebookA (which is not a domain member). On that notebook, it has
> UserA as a local account. When it's trying to access resources on the
> network server, SERVER, it tries to authenticate using the local notebook
> account UserA and password against the server's resources. If the user is
> in luck, there just happens to be a local user on the server with the same
> name and password. If either the local user name/password doesn't jive with
> the server's local username/passwords, you can't access the resources.
>
> Clear as mud??
>
>
> --
> Aaron H
> Austin, TX
> NT/Win2k IT professional
> fontouk at hotmail dot com
>
>
>
> "Pete Grazaitis" <pjgratz@yahoo.com> wrote in message
> news:20f7835.0210091114.a1080ed@posting.google.com...
> > Here is what I have found out.
> >
> > We run a mixed environment, native domain windows 2000 network. We
> > use group policies and scripts to control our connecting clients,
> > which are a mix of workstation's,servers's and laptop's. Since laptop
> > people are in and out of the office they tend to just log in locally.
> > This is fine except for the unfortunate ability to completely
> > circumvent our login scripts and group policies. However, they do
> > have the ability (provided using the same name and password) to get at
> > all of the shares on the network. It doesnt matter if the share has
> > all NTFS permissions based on the domain and the connecting client is
> > not part of the domain. This happens whether the NTFS permissions are
> > defined on the user, global group, or local group objects. Is this a
> > big problem, or am I overlooking something.
> >
> > The other thing I noticed was an XP client that thought one of the
> > login scripts was a potential virus and allowed the user to terminate
> > it. Anyway to lock that down too?
- Next message: Bruce Chambers: "Re: Windows 2000 Permissions and Printers"
- Previous message: QuinnVT: "Windows 2000 Permissions and Printers"
- In reply to: Aaron H: "Re: I think I may have found a security oversight."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
