OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NTBugtraq And NTSecurity Archives: Re: NT System Policy for Win

Re: NT System Policy for Win95 Not downloaded when adding a space aft er domain name

Shawn Wright (swrightSLS.BC.CA)
Tue, 23 Nov 1999 09:15:08 -0800

On 18 Nov 99, at 17:10, Martin Kay wrote:

> IF: a) System Policies are in use, AND
> b) Mandatory User Profiles are in use, AND
> c) the Mandatory user profiles (*.MAN files) being used were created
> and made mandatory BEFORE the instigation of system policies...
> THEN:
> If a domain user logs into the domain, and adds a space (" ") after the
> domain name, then the system policy is not downloaded/put into effect on the
> PC concerned. Any security restriction in the policy is not in place.
>
> Cause:
> 1) MANdatory user profiles are read only. System Policies change registry
> settings "on the fly". Without mandatory profiles, the system policy
> updates the user profile and thus security limitations are put into effect
> thereafter as the user profile is saved back to the profile directory
> (either roaming or locally).
>
> 2) This does not explain WHY policies are not run when logging in with a
> space after the domain name.
>
> Discovery:
> At a private school in Adelaide, SA in late 1998, reproduced on my network
> Jan 1999.
>
> Fix:
> Change user profiles back to writeable, login (without space) to get the
> system policy changes, logout, rename user profiles to .MAN. Change had
> then occured in the roaming user profile.
>
> Martin Kay MCSE
> Orbis Information Systems
> Adelaide, SA

There are more permutations to this problem, which do not have a solution,
according to Microsoft, and this is why we no longer run Wn95 public
workstations.

In our case, with System Policies stored in the DC Netlogon shares, any user
can bypass policies by entering a valid domain user/password, but changing
the Domain to *anything* other than the correct domain name. A significant
delay occurs (10-20 seconds), after which they are granted a local logon to
the workstation, with the policy of the previous user in place. Any persistent
connections to network shares are restored, and any shortcuts with valid
UNC paths will also still work, provided the username has permissions to
these resources.

The security event logs on the DCs will show multiple failed logins with the
phony domain name, but do NOT show a valid login, even though one
obviously must occur to use the network resources. Even with this
information, I could not convince Microsoft tech support to treat this issue
seriously - they insisted it was a Windows 95 issue and therefore their NT
support would not look into it further. The fact that a user can gain access to
server resources and this access is not logged correctly would seem to be
an NT security issue to me, but the opinion at MS differed. This problem was
with NT 4 SP3, and any version of win95. It is possible that this was rectified
with SP4 or above, but I doubt it, as I suspect much of the problem lies with
Win95 (aside from the lack of correct security logging).

This became such a problem in our school labs that we were forced to
upgrade all machines to NT4.

========================
Shawn Wright
Computer Systems Manager
Shawnigan Lake School
http://www.sls.bc.ca
swrightsls.bc.ca

This archive was generated by hypermail 2.0b3 on Wed Nov 24 1999 - 12:56:40 CST