local account admin has access to other PC's if admin password

local account admin has access to other PC's if admin password

Post by U3RldmUgUG » Sun, 09 Oct 2005 05:48:02


I can maybe understand this maybe in a workgroup (even then it's a stretch),
but in a domain it seems unacceptable . I just tested this with a PC that is
not even a member of the domain and the result is the same. This implies
that if a guest comes to my office with his laptop, and I allow him to plug
in to my network, if he logs in to his laptop as administrator, and by pure
luck his password is the same as the local administrator account on any
resource in my network, he will have admin level access to those resources.
This doesn't seem like "trustworthy computing" to me ??? Am I missing
something here ?
--
Steve Paul
 
 
 

local account admin has access to other PC's if admin password

Post by Steven L U » Sun, 09 Oct 2005 08:45:22

That is the way it works if there is a common authentication protocol
available. If you use and enforce complex passwords of at least seven
characters long in the domain there would be around a one in 7 to the 96th
power possibility that the another user would have the same password. If you
do not want non domain computers to even have that chance then you can do
what Microsoft does which is use ipsec to protect domain resources. If a
domain computer has an ipsec require policy enabled on it then a non domain
computer will not be able to access it because computer authentication will
fail when the security association is attempted by kerberos. Ipsec is a
somewhat complex topic that requires planning and testing but explained well
in the ipsec domain isolation guide even if you read just the appendixes.
One caveat is that domain controllers must be exempt from ipsec policies
that use ipsec traffic between domain computers and domain controllers for
the ports/protocols used in the authentication process by the domain
controllers. See the link below if interested in using ipsec. --- Steve

http://www.yqcomputer.com/