• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Serious security problem for domain!!

fimchick

OSNN Senior Addict
#1
please help! i just found this today, by accident -- I was adding a pc to the domain and when prompted for the username/password i left both fields blank and pressed enter...and it worked. i just tested a blank username and password on our vpn and it worked as well!!!

how is this possible??? is there somewhere I can look to see what it is and turn this damn hole off?

thank you!!!!!!!!!!!
 

fimchick

OSNN Senior Addict
#2
Addendum -- after i connected with blank username/password, the Routing and Remote Access connection status showed my username (i'm domain admin) listed as one of the connected clients. As soon as i disconnect, it's gone...

what the???
 
#3
Time to audit all the users in your admin groups. :)

I was just going over the way to add a comp to a domain... it's done within the PC I believe....

MSKB

4. Under Member of, type [your domain] for the Domain, and then click OK.

5.
The Domain Username and Password dialog box appears. You must supply an account that has privileges to join the domain.

I didn't know you could, but VPN can be configured to use blank username, password.

Example
 
Last edited:

fimchick

OSNN Senior Addict
#4
Thanks for the reply. I figured it out a minute ago. I never thought about it, but the local admin password on all our machines is the same as the Administrator password on the domain. SOoooo, when I would hit enter, it would simply pass the same credentials over: username: administrator password: xxxxx and it would go through! wow, pretty scary for a few mins.... =]
 
#5
fimchick said:
Thanks for the reply. I figured it out a minute ago. I never thought about it, but the local admin password on all our machines is the same as the Administrator password on the domain. SOoooo, when I would hit enter, it would simply pass the same credentials over: username: administrator password: xxxxx and it would go through! wow, pretty scary for a few mins.... =]

Change the Domain password - more secure policy.

Why? I can hack a local admin password with 1 reboot. If I get lucky, one day I'll try that pass on the domain. ;) I don't hack, but I do know what a couple of right clicks AS a domain admin can do. :eek:
 

kcnychief

█▄█ ▀█▄ █
Political User
#7
fimchick said:
Thanks for the reply. I figured it out a minute ago. I never thought about it, but the local admin password on all our machines is the same as the Administrator password on the domain. SOoooo, when I would hit enter, it would simply pass the same credentials over: username: administrator password: xxxxx and it would go through! wow, pretty scary for a few mins.... =]
That's scary for more than a few minutes, but glad you discovered it.

My personal preference, disable the "administrator" account on the domain level. I prefer to enforce usernames 110% so it's easier to track through logging. I'd rather see someone named "john_doe" access a resource than "administrator", because that could be anyone with the credentials.

That, plus if the account gets out, all hell breaks loose :eek:
 

Members online

No members online now.

Latest posts

Latest profile posts

Hello, is there anybody in there? Just nod if you can hear me ...
Xie
What a long strange trip it's been. =)

Forum statistics

Threads
61,961
Messages
673,239
Members
89,014
Latest member
sanoravies