A security issue about windows workgroup logon

Discussion in 'Windows Networking' started by Frank, Jul 14, 2004.

  1. Frank

    Frank Guest

    Hi All,



    After testing I found that when a win2k local user account is having the same logon name and password as a win2k domain user account (No matter whether or not the win2k machine joins the domain), it then has the same access right to the domain resources which are assigned permission to the domain user account.



    eg: Machine 1: win2k pro, workgroup, local user name: user1, pw: 123456

    Machine 2: win2k domain controller with domain user account: user1, pw: 123456

    when loggon locally to the win2k pro machine using credential user1, 123456, I can freely access any resource that the domain account user1 has permssion.



    This is indeed a security issue although the chance of such co-incidence is small. By right, if user logon as local user, he/she should provide domain user credentials when accessing domain resources.



    This will not happen for 2 identical domain users accounts which exist in two different domains. And I believe even for the win2k3 domain it is the same.



    Does anyone knows where to find the explanation for such an issue, is it by design or a security hole?



    Thanks

    Frank
     
    Frank, Jul 14, 2004
    #1
    1. Advertisements

  2. Frank

    Bill Grant Guest

    I think you will find that this has always been the case. When a
    machine which is not a domain member tries to access a domain resource, the
    domain controller queries the machine for its credentials. If the
    workgroup/username/password exactly matches a valid
    domain/username/password, the logon credentials are accepted by the domain
    controller. The domain controller trusts the local machine logon
    credentials.

    Hi All,



    After testing I found that when a win2k local user account is having the
    same logon name and password as a win2k domain user account (No matter
    whether or not the win2k machine joins the domain), it then has the same
    access right to the domain resources which are assigned permission to the
    domain user account.



    eg: Machine 1: win2k pro, workgroup, local user name: user1, pw: 123456

    Machine 2: win2k domain controller with domain user account: user1, pw:
    123456

    when loggon locally to the win2k pro machine using credential user1,
    123456, I can freely access any resource that the domain account user1 has
    permssion.



    This is indeed a security issue although the chance of such co-incidence is
    small. By right, if user logon as local user, he/she should provide domain
    user credentials when accessing domain resources.



    This will not happen for 2 identical domain users accounts which exist in
    two different domains. And I believe even for the win2k3 domain it is the
    same.



    Does anyone knows where to find the explanation for such an issue, is it by
    design or a security hole?



    Thanks

    Frank
     
    Bill Grant, Jul 15, 2004
    #2
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.