Serious security problem for domain!!

Discussion in 'Windows Desktop Systems' started by fimchick, Mar 23, 2006.

  1. fimchick

    fimchick OSNN Senior Addict

    Messages:
    276
    Location:
    Somewhere
    please help! i just found this today, by accident -- I was adding a pc to the domain and when prompted for the username/password i left both fields blank and pressed enter...and it worked. i just tested a blank username and password on our vpn and it worked as well!!!

    how is this possible??? is there somewhere I can look to see what it is and turn this damn hole off?

    thank you!!!!!!!!!!!
     
  2. fimchick

    fimchick OSNN Senior Addict

    Messages:
    276
    Location:
    Somewhere
    Addendum -- after i connected with blank username/password, the Routing and Remote Access connection status showed my username (i'm domain admin) listed as one of the connected clients. As soon as i disconnect, it's gone...

    what the???
     
  3. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal
    Time to audit all the users in your admin groups. :)

    I was just going over the way to add a comp to a domain... it's done within the PC I believe....

    MSKB

    4. Under Member of, type [your domain] for the Domain, and then click OK.

    5.
    The Domain Username and Password dialog box appears. You must supply an account that has privileges to join the domain.

    I didn't know you could, but VPN can be configured to use blank username, password.

    Example
     
    Last edited: Mar 23, 2006
    fimchick likes this.
  4. fimchick

    fimchick OSNN Senior Addict

    Messages:
    276
    Location:
    Somewhere
    Thanks for the reply. I figured it out a minute ago. I never thought about it, but the local admin password on all our machines is the same as the Administrator password on the domain. SOoooo, when I would hit enter, it would simply pass the same credentials over: username: administrator password: xxxxx and it would go through! wow, pretty scary for a few mins.... =]
     
  5. Mastershakes

    Mastershakes Moderator

    Messages:
    1,721
    Location:
    Montreal

    Change the Domain password - more secure policy.

    Why? I can hack a local admin password with 1 reboot. If I get lucky, one day I'll try that pass on the domain. ;) I don't hack, but I do know what a couple of right clicks AS a domain admin can do. :eek:
     
  6. fimchick

    fimchick OSNN Senior Addict

    Messages:
    276
    Location:
    Somewhere
    Yeah, I changed it immediately :D Can't believe this happened!
     
  7. kcnychief

    kcnychief █▄█ ▀█▄ █ Political User Folding Team

    Messages:
    16,948
    Location:
    Massachusetts
    That's scary for more than a few minutes, but glad you discovered it.

    My personal preference, disable the "administrator" account on the domain level. I prefer to enforce usernames 110% so it's easier to track through logging. I'd rather see someone named "john_doe" access a resource than "administrator", because that could be anyone with the credentials.

    That, plus if the account gets out, all hell breaks loose :eek: