Re: Possible inside security breach
From: Steven L Umbach (n9rou_at_n0-spam-for-me-comcast.net)
Date: 08/28/04
- Next message: Steven L Umbach: "Re: W2K TCP/IP Filtering"
- Previous message: Jud_at_justmyopinion.ok: "Re: Security and privacy with MS programs."
- In reply to: G. Lentz: "Possible inside security breach"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Sat, 28 Aug 2004 17:30:44 GMT
By default "authenticated users" can add up to ten workstations to a domain which
means that ANYONE that know a logon/password for a domain account can add a
workstation to the domain. This is configured in Domain Controller Security
Policy/security settings/local policies/users rights and the domain controller
container is the only place this user right is applied. You can remove authenticated
users if you do not want this to happen which I would suggest you do. Joining a
computer to the domain in itself does not give a user any more permissions than
credentials already do, though it may allow the computer to obtain a certificate or
ipsec policy to use for network communications restricted to only domain
omputers. --- Steve
"G. Lentz" <anonymous@discussions.microsoft.com> wrote in message
news:1c8f01c48cde$b45f7680$a501280a@phx.gbl...
>I have a strange situation that I really just need
> clarification on so here goes.
>
> I am an IT consultant for a company that has remote users
> who connect via a VPN. One user, a recent contract
> (potientially to be an employee) needed access to the
> shared files/folders and e-mail. I gave him the
> instruction on setting up the VPN on his home PC and was
> going to get back to him on setting up the remaining
> items (I work for other clients also) later. Instead of
> waiting he and a friend logged onto the client's network
> via the VPN and using their own words, "hacked and
> guessed around about some things" so they could add his
> PC to the domain and give him access to what he needed!
> There are only two accounts on the domain that have
> Administrator rights and his was neither. When I
> questioned the user on this, suffice to say the friend
> did all the work and he knows nothing. What really
> puzzles me is that the client pricipal seems to think
> nothing of this?!? He basically said well I guess you
> have some competition.
>
> Anyway my questions are:
>
> 1) I need to clarify that only an account with
> Administrative privilages can create new user and
> computer accounts in an AD domain?
>
> 2) Any possible ideas on how the hell they could have
> done this? Don't need specifics, just could/can it be
> done? I understand by the user having VPN access to the
> network he basically had a key so to speak, allowing them
> to bypass the normal things that discourage external
> attacks (i.e firewalls).
>
> I am going to try and speak to the client principla that
> if they circumvented network security, then his network
> is basically open at this point. Unfortunetely the
> pricipal is high on this person and their abilities so I
> may be creating an acrimonius situation by bringin it up.
> My thinking is I don't want to be blamed for something
> down the line as I feel I no longer have control over the
> network. Thanks.
- Next message: Steven L Umbach: "Re: W2K TCP/IP Filtering"
- Previous message: Jud_at_justmyopinion.ok: "Re: Security and privacy with MS programs."
- In reply to: G. Lentz: "Possible inside security breach"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
