Re: Login info over unsecure connection
From: Steven L Umbach (n9rou_at_nospam-comcast.net)
Date: 01/18/04
- Next message: Steven L Umbach: "Re: Desktop settings"
- Previous message: PGA: "Re: Latest Security Update"
- In reply to: Moshe Rosenberg: "Re: Login info over unsecure connection"
- Next in thread: Bob: "Re: Login info over unsecure connection"
- Reply: Bob: "Re: Login info over unsecure connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sun, 18 Jan 2004 22:32:50 GMT
If you are trying to use unc to access a network share, the Windows
challenge/response password challenge is still used for authentication and data is
NOT encrypted. If you are using unc to access a share over the internet, that is very
risky business unless you do not care that your data is seen in clear text and that
the server end would have file and print sharing open to the world unless a firewall
restricted traffic as to come only from a particular ip address. If the computer
offering the share is a W9X computer, then lm authentication is most likely being
used which is very weak and easy to crack by sniffing the password hash. It is
possible for client computers such as W2K to establish pptp vpn sessions with another
W2K/XP Pro computer [one connection limit] or possibly even an ipsec tunnel [not
transport]. --- Steve
http://support.microsoft.com/default.aspx?scid=kb;en-us;257333 --- similar for XP.
http://support.microsoft.com/default.aspx?scid=kb;en-us;252735
"Moshe Rosenberg" <moishier_don't_send_me_spam@hotmail.com> wrote in message
news:uqDbfXe3DHA.2280@TK2MSFTNGP10.phx.gbl...
> Does this still apply if I access the share via UNC path?
>
> Moshe
>
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
> news:b2vOb.93612$na.50526@attbi_s04...
> > If you are talking about another Windows 2000 domain via a lan, your
> passwords are
> > never sent over the wire per se and a challenge/response is used to
> authenticate. The
> > data however may not be encrypted unless something like ipsec is used. If
> you mean an
> > internet website, then your password may not be encrypted if it is not a
> ssl
> > connection as evidenced by https in the address bar or the little padlock
> in the
> > lower right hand corner. Never use the same logon/password as you use to
> logon to
> > your computer or secure sites such as places where you bank or use a
> charge card if
> > in doubt. Ftp sites are particularly bad place to use a logon/password, as
> it may
> > very well be a clear text connection. -- Steve
> >
> > http://www.microsoft.com/security/protect/
> >
> > "Moshe Rosenberg" <moishier_don't_send_me_spam@hotmail.com> wrote in
> message
> > news:eaKWgKY3DHA.1392@TK2MSFTNGP11.phx.gbl...
> > > If I access a share from another domain and I put in my windows user
> name
> > > and password, is that infomation encryped over an otherwise unsecure
> > > internet connection?
> > >
> > > There is no vpn, ipsec etc. Just default config on client and server.
> > >
> > > Thanks!
> > >
> > > --
> > > Moshe Rosenberg
> > >
> > >
> >
> >
>
>
- Next message: Steven L Umbach: "Re: Desktop settings"
- Previous message: PGA: "Re: Latest Security Update"
- In reply to: Moshe Rosenberg: "Re: Login info over unsecure connection"
- Next in thread: Bob: "Re: Login info over unsecure connection"
- Reply: Bob: "Re: Login info over unsecure connection"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
