|
Posted by Pedro Leite on November 8, 2006, 5:36 am
Please log in for more thread options
make your words mine
oh well.....
Best regards
PLeite
------------------------------------------------
> No problem Pedro. Glad things may have become more clear.
> I have seen people intentially isolate some things from their
> "more carefully protected" corporate domain, doing this isolating
> by making those other things set up on stand-alone workstations.
> OK, so far, that can be a valid approach for protecting the jewels.
> But, then in order to make backup, or administration, or monitoring,
> etc. more convenient they define matching accounts (same name and
> password) that span the stand-alones and the corp domain, with
> admin access in them all. That pretty near totally defeats any gain
> that could happen from having separated those things out from the
> domain in the first place. Oh well . . .
>
> Roger
>
> "Pedro Leite" <aa> wrote in message
> > hi
> >
> > thank you for your input. your reply was ver enlighthning on this
matter.
> > what i have learnt is that the domain account should be unique in a
> > network
> > environment, domain oriented or not. period.
> > of course that a domain is much more than user authentication. i kinda
> > exxxagerated by saying breaking, but the point was that on a machine out
> > of
> > the domain, i was acting as domain admin. tiny little issue that in my
> > opinion, but just shouldn't happen but as a ms workstation and server
> > user,
> > i must beleive that it happens for a reason and a good one. if i'm not
> > happy
> > with it, file a report at microsoft and if the management at my company
> > simply see this as a major security issue ( which i don't ), well, there
> > are
> > other options.
> >
> > i guees that the bottom line is that the domain admin account can be
> > impersonated, with the same username and password. a somewhat esoteric
> > scenario but that's just it.
> >
> > i appreciate your info on the security settings on ie ( actually we are
on
> > firefox ) but thank you the same.
> > thank you once again.
> >
> > PLeite
> > -----------------------------------
> >> Yes, I do believe it is "by design".
> >>
> >> Starting with Windows XP this became less simple, whereby
> >> the accessing XP system will be seen to send, not "username"
> >> and its password response which the accessed system will, in
> >> absence of a qualified domain\username take as "username" as
> >> defined on it (the accessed system), but instead the accessing
> >> XP will be seen to send XPhost.domain.tld\username (qualified
> >> with the DNS domain of the XP) which of course will fail. One
> >> then sees XPhost.domain.tld\username in a prompt asking for
> >> password and thinks it tries this instead of sending just "username",
> >> but this one with the DNS domain is done as a retry action as
> >> is shown as it was the last attempted.
> >>
> >> There is no test as to what groups the account is member in before
> >> attempting behind the scenes authentication.
> >>
> >> I do not see how it breaks the domain concept. I mean, if someone
> >> knows the username and password for an account in the domain so
> >> that they can do this then they really do not need to do this.
> >>
> >> You may want to pay attention to the IE Options setting under Advanced
> >> in Security section that enables Windows Integrated Authentication and
> >> also to the ability by XP and later Windows to cache Windows network
> >> credentials (i.e. start/run keymgr.dll).
> >>
> >> Roger
> >>
> >>
> >> "Pedro Leite" <aa> wrote in message
> >> > good morning
> >> >
> >> > thank you for the information.
> >> > so, can we say that is " by design " ?? it happens because it does. (
> > not
> >> > flaming, just trying to make things clear )
> >> > does this happens only on admin accounts ? can i create an user on
the
> > off
> >> > domain pc and logo to the shares with the user's domain password ??
> >> > this
> >> > kind of breaks the concept of windows domains doesn't it ??
> >> >
> >> > apart from the obvious of having the domain admin account " on the
> >> > loose
> >> > ",
> >> > are thre any other security issues that i should be on the lookout
for
> > ??
> >> > and before someone says it, i fully agree that having the local admin
> > user
> >> > equal to the domain admin is a cumbersome error. a malpractice that i
> > must
> >> > correct.
> >> >
> >> > thank you
> >> > PLeite
> >> > -------------------------------------------------------------------
> >> >> Windows has done this for a very long time.
> >> >> If you have two accounts, in separate authentication realms, and
those
> >> >> accounts have the same name and password, then while using one of
> >> >> them it is possible to access resources in the other realm by means
of
> >> >> the other account. This happens "transparently" with a login behind
> >> >> the scenes when an access attempt is made. It is not a matter of
the
> >> >> accounts having the same SID (which they do not) but that one can
> >> >> log in as the other by presenting its own credentials since they
> >> >> match.
> >> >>
> >> >>
> >> >> "Pedro Leite" <aa> wrote in message
> >> >> > good afternoon
> >> >> >
> >> >> > can anyone explain this behaviour ?? as described
> >> >> > setup is sbs 2k3
> >> >> >
> >> >> > recently added a new pc to the network and to the domain for
updates
> >> >> > and
> >> >> > application deployment.
> >> >> > so, i named the pc admin account the same as the domain admin
> >> >> > account
> >> > and
> >> >> > gave it the same password.
> >> >> > now, the new pc is off the domain but the admin account is still
the
> >> > same
> >> >> > with the same domain admin password.
> >> >> >
> >> >> > whenever i log to the pc with the admin account, i have full
control
> >> > over
> >> >> > the domain machines, c$ share, all users document folders, all
> > shares,
> >> >> > direct internet acces through the firewall...
> >> >> >
> >> >> > questions, is the domain admin sid the same as a local admin sid's
> >> > account
> >> >> > ?? the authentication being made with a blend of username and
> > password,
> >> >> > all
> >> >> > mixed up, hashed whatever and then sent to validation ??
> >> >> >
> >> >> > isn't the domain admin account user equal to domainname\admin and
> >> >> > the
> >> >> > local
> >> >> > admin, machinename\admin ??
> >> >> >
> >> >> > for my knowledge please comment on the above
> >> >> >
> >> >> > thank you
> >> >> >
> >> >> > Pedro Leite
> >> >>
> >>
>
>>> ------------------------------------------------------------------------
-
> > -
> >> > --
> >> >> > ---
> >> >> >
> >> >> >
> >> >>
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>
| 
XML Sitemap