Re: How to deny access to domain shares from a workgroup computer
- From: "Anthony [MVP]" <anthony@xxxxxxxxxxxx>
- Date: Tue, 28 Jul 2009 22:53:28 +0100
I agree that it is curious at first sight, but I am not sure how else it could be.
Lets start from the premise that a user's password should be unknowable except to them. The user name part is a convenience and can add to the security by being obfuscated, but let's assume that it is fairly obvious.
So the chairman of the company has an obvious username and an unknowable password.
What difference does it make if, when asked for his password, he prefixes the domain name or not? The domain name is not secret. The workgroup or server name is not secret. By adding a prefix he is really saying "this version rather than that version of my account".
If the user's password is knowable, then a whole different set of problems arise. Two factor authentication is the solution to weak passwords.
What you are referring to is the convenience of pass-through authentication. When the logged in credentials are tried first. But this is just a convenience. You still have to have the right credentials. NTLM is a method of ensuring the password is not revealed, and Kerberos is a more sophisticated method of ensuring that even if the credentials could be cracked they would not be valid after the event.
So I think what you are describing is a convenience but not a security measure,
Anthony,
http://www.airdesk.com
"swb" <swb_mct@xxxxxxx> wrote in message news:O3H#3l5DKHA.2832@xxxxxxxxxxxxxxxxxxxxxxx
( I posted a version of the question the Small Business Server newsgroup - no response - I hope that doesn't violate a posting rule ).
Can anyone explain why a local account on a workgroup computer has access to domain shares (sbs2008) if the local username and password are synchronized
with a domain username and password ?
The local workgroup account is allowed the same access as specified by NTFS file permissions assigned to the domain account of the same username/password.
I though the ACL on NTFS file shares on a Domain Controller required the users access token to include a domain SID for the user.
This seems to be true on all Microsoft networks . . . I audit banks. They give me a domain admin account for my visit. When I create a matching account username/password on my notebook, I have access to all shares on the Microsoft network, only using the domain account they created for me for terminal service logins.
Is there a Security Option in to disable access to domain shares using a synchronized local account on a workgroup computer.
Bigger Picture: What is all the Kerberos Trust path stuff about, if access to shares only requires a synched username/password from any workgroup ?
- Follow-Ups:
- Re: How to deny access to domain shares from a workgroup computer
- From: Paul Baker [MVP, Windows Desktop Experience]
- Re: How to deny access to domain shares from a workgroup computer
- References:
- Prev by Date: Re: Win2k3 C$ Permissions - Modifying
- Next by Date: permission timeout
- Previous by thread: Re: How to deny access to domain shares from a workgroup computer
- Next by thread: Re: How to deny access to domain shares from a workgroup computer
- Index(es):
Relevant Pages
|
Loading
