Re: 80 and 88

From: Steven L Umbach (n9rou_at_nscomcast.net)
Date: 06/29/04 

Date: Tue, 29 Jun 2004 01:37:51 GMT

Kerberos is required for AD replication between AD domain controllers. It is
not required to access a share or logon to the domain. NT computers can be
members of a W2K domain and do not use kerberos, but use ntlm instead. I am
not sure exactly what the question is trying ot get at as it is vague. W2K
domain controllers can be attacked through port 80 if they are running IIS,
which they are in a default installation. Of course a firewall would
mitigate a lot of that risk, though it should be disabled [IIS] if not used
and if it is used the IIS service should be hardened by being up to date on
all patches and using the IIS Lockdown tool. --- Steve

"Svejk" <svejkmb-mail@yahoo.co.uk> wrote in message
news:42c83856.0406280245.2f5d94@posting.google.com...
> "Steven L Umbach" <n9rou@nospam-comcast.net> wrote in message
news:<Vravc.38862$Ly.20537@attbi_s01>...
> > Port 88 is for kerberos while 80 TCP is for http website.
>
> If a Windows 2000 Server is a domain controller, then it is running
> Active Directory, right?
>
> If it is running Active Directory, then is kerberos *required*?
>
> Does the question below make sense then?
>
> Thanks,
> Svejk
>
>
> > "Svejk" <svejkmb-mail@yahoo.co.uk> wrote in message
> > news:42c83856.0406010943.6b4fc526@posting.google.com...
> snip
> > >
> > > "Discuss how an intruder using ONLY the TCP/80 and TCP/88 ports can
> > > break into a Windows 2000 Server that is functioning as a domain
> > > controller. Assume that the Windows 2000 Server is not making use
> > > of IP-Sec or Kerberos."

Relevant Pages

  • SMS 2003: MP authentication problems on domain controllers
    ... SMS and IIS on domain controllers? ... servers at remote locations. ...
    (microsoft.public.sms.admin)
  • Re: MS Incident Response Plan
    ... There are no "known" security issues, otherwise every SBS box for example, ... Your domain controllers hold the ... it could be a flaw in the application you run ontop of IIS. ... but it's still another step to compromising the DC. ...
    (microsoft.public.inetserver.iis.security)
  • Re: Rollback to NT4 domain from 2000 mixed mode
    ... Windows 2000 and above uses 2 forms of authentication: Kerberos and NTLM. ... will fail because no Windows 2000 domain controllers will be available. ...
    (microsoft.public.win2000.general)
  • Re: Kerberos back to NTLM
    ... Are you sure they are authenticating to domain controllers not using ... then look in the security logs of the domain controllers for better info on ... can cause kerberos authentication to fail. ...
    (microsoft.public.windows.server.general)
  • Re: Kerberos back to NTLM
    ... Are you sure they are authenticating to domain controllers not using ... then look in the security logs of the domain controllers for better info on ... can cause kerberos authentication to fail. ...
    (microsoft.public.windows.server.active_directory)