Re: Password Visibility
- From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
- Date: Thu, 15 Dec 2005 12:20:09 -0500
It depends...
If an admin can set up a website with basic auth and convince the user to enter their userid/password they can retrieve that password from the vars. If an admin has the ability to sniff traffic in and out of a DC and some LDAP app the user is using is using simple authentication the password will be in clear text on the wire. If the admin has rights to a DC they could dump the hashes for the user database and then run something like l0phtcrack or some rainbow table software against it to crack the passwords, possibly in milliseconds. Also if an admin is bright enough they could install a password filter on a DC and capture the clear text password of every userid that changes the password. There are more vectors but these are the main ones that spring to my head.
You can audit who changes password with normal AD auditing, I suggest reading up on the topic as it isn't something you just want to go slamming into place as there are performance impacts that can occur.
-- Joe Richards Microsoft MVP Windows Server Directory Services www.joeware.net
DavidW wrote:
This may seem a very odd or simple question but is it possible for network administrators to see user network passwords? If the answer is yes, is there a way of auditing which administrator reset a user's password and when?
Thanks
.
- Prev by Date: Re: Hidden Users
- Next by Date: Extracting information from secedit database files (sdb)
- Previous by thread: Re: Password Visibility
- Next by thread: Re: Password Visibility
- Index(es):
Relevant Pages
|
|
