OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
Subject: Re: WinNT management from a Notebook.
From: Welsh, Armand (armand.welshSSCIMS.COM)
Date: Mon Nov 13 2000 - 14:46:02 CST

Actually, you can do it even if the passwords/account names are not in sync.
This is because what you are doing is logging into the domain. Remember
that NT uses the NT Challenge/Response authentication method. By this
method, if the user you are logged in as has an account on the machine you
are connecting to, and the password is the same as the local password, then
the challenge/response process is silent.

If you have different passwords, or accounts, then the chalenge/response
authentication to the other host will fail, and you will be prompted for
authentication information. This is by design, and it is not a security
hole.

-----Original Message-----
From: Michael Duvall [mailto:duvallmCSWNET.COM]
Sent: Friday, November 10, 2000 6:01 PM
To: FOCUS-MSSECURITYFOCUS.COM
Subject: Re: WinNT management from a Notebook.

Actually this might bring up a security issue for some of the gurus
here....you can admin a nt40 domain from a workstation that is not part of
the domain. You have to have admin rights and the username and password for
the workstation must match that for the account with the rights in the
domain regardless if you have authenticated to the domain otherwise. I ran
into this a few months ago and have not had time to look at it but it seems
it has to be an issue of the usermgr, etc...checking the local sam and
comparing it against the domain sam. Would be interested to know if anyone
knows how this works