Re: I think I may have found a security oversight.

From: Pete Grazaitis (
Date: 10/21/02

From: (Pete Grazaitis)
Date: 21 Oct 2002 10:46:05 -0700

Unfortunately, what actually happens is very clear to me. However, I
think it is a problem with the design. I would think for resources
associated with a domain part of the authentication should be in
forcing the use of the domain in the authentication process. I dont
know if that can be done, and Im sure a bright person can manipulate
the token to include that. But, the average user who is lazy and
decides not to log into the domain should not be able to circumvent
the domains restrictions (ie policies).


Pete Grazaitis

"Aaron H" <> wrote in message news:<>...
> Pete,
> Couple of things. One, when a computer is a member of the domain,
> and you have UserA on MachineA (member of the domain, Domain) When UserA
> access network resources, they're not accessing it as the local user on that
> computer, they're accessing it as Domain\UserA. Take a look at the *LOCAL*
> users. You may not even see a local user besides Admin, guest, etc. Now
> take NotebookA (which is not a domain member). On that notebook, it has
> UserA as a local account. When it's trying to access resources on the
> network server, SERVER, it tries to authenticate using the local notebook
> account UserA and password against the server's resources. If the user is
> in luck, there just happens to be a local user on the server with the same
> name and password. If either the local user name/password doesn't jive with
> the server's local username/passwords, you can't access the resources.
> Clear as mud??
> --
> Aaron H
> Austin, TX
> NT/Win2k IT professional
> fontouk at hotmail dot com
> "Pete Grazaitis" <> wrote in message
> > Here is what I have found out.
> >
> > We run a mixed environment, native domain windows 2000 network. We
> > use group policies and scripts to control our connecting clients,
> > which are a mix of workstation's,servers's and laptop's. Since laptop
> > people are in and out of the office they tend to just log in locally.
> > This is fine except for the unfortunate ability to completely
> > circumvent our login scripts and group policies. However, they do
> > have the ability (provided using the same name and password) to get at
> > all of the shares on the network. It doesnt matter if the share has
> > all NTFS permissions based on the domain and the connecting client is
> > not part of the domain. This happens whether the NTFS permissions are
> > defined on the user, global group, or local group objects. Is this a
> > big problem, or am I overlooking something.
> >
> > The other thing I noticed was an XP client that thought one of the
> > login scripts was a potential virus and allowed the user to terminate
> > it. Anyway to lock that down too?

Relevant Pages

  • Re: proper naming of a domain
    ... The primary reason for not being able to see resources/browse etc during a VPN is that the IPschema of remote network is the same as the LAN that you are connecting to. ... from home I can Connect to the server and it tells me that I am connect to ... resources it tells me that the path cannot be found. ...
  • Re: Detect open windows shares?
    ... to know their names is to browse the network neighborhood. ... The WNetOpenEnum function starts an enumeration of network resources or existing connections. ... RESOURCE_CONTEXT Enumerate only resources in the network context of the caller. ... To obtain a description of the error, call the WNetGetLastError function. ...
  • [Full-Disclosure] Authorities eye MSBlaster suspect (long reply)
    ... Although segments of that network are cordoned off (and I ... the incident which requires the response. ... issues that that the old (and normally less secure) systems shall vanish. ... Recall that security balances against usability and resources. ...
  • Re: Publishing Problems with Win XP and FP 2002 on a school network
    ... but that doesn't preclude someone from accessing network ... resources if they have domain credentials. ... I'm certain that if you have a Windows 98 client, and you try to access a ... the FrontPage website's folder. ...
  • Re: Sharing Resources on LAN
    ... > can't get resources sharing going, ... Permanently disable ICF on all XP PCs. ... R/W access from the network. ...