Enquiry on a special scenario.

View Full Version : Enquiry on a special scenario.

Dear Sir/Madam,

I got an enquiry from my customer regarding security
setup. I am developing a system which accept single sign-
on. It means if the user can logon to the network and
have security level to touch different server. He/She can
use different systems, e.g. CRM, MIS .

The customer claims that there is a way to bypass the user
ID and password in the network in order to use all the
resource and systems in the network.

Someone can disconnect a PC physically from the network.
He/She created a domain and user ID in the PC, which same
as the domain and user ID in the network. Then, he/she
logon the domain and user ID in the PC. He/she can
connect the PC to the network again. Finally, he/she can
access all the resources in the network.

Best Regards,

Martin.

Steven L Umbach

A user can access resources on a domain network if they have a local user
account on a non domain computer that has the same logon/password as a
domain account, and of course connectivity to the network. However if ipsec
policies have been defined that "require" ipsec negotiation to a domain
resource, then their access will fail due to their computer not being able
to authenticate via kerberos. --- Steve

wrote in message
news:2381f01c45e8d$ef207d20$a401280a@phx.gbl...
> Dear Sir/Madam,
>
> I got an enquiry from my customer regarding security
> setup. I am developing a system which accept single sign-
> on. It means if the user can logon to the network and
> have security level to touch different server. He/She can
> use different systems, e.g. CRM, MIS .
>
> The customer claims that there is a way to bypass the user
> ID and password in the network in order to use all the
> resource and systems in the network.
>
> Someone can disconnect a PC physically from the network.
> He/She created a domain and user ID in the PC, which same
> as the domain and user ID in the network. Then, he/she
> logon the domain and user ID in the PC. He/she can
> connect the PC to the network again. Finally, he/she can
> access all the resources in the network.
>
> Best Regards,
>
> Martin.
>

=?Utf-8?B?TWFydGluLg==?=

Dear Steven,

If the password in local domain is different from the domain one, can people be granted the access to the network resources ?

Best Regards,

Martin.

"Steven L Umbach" wrote:

> A user can access resources on a domain network if they have a local user
> account on a non domain computer that has the same logon/password as a
> domain account, and of course connectivity to the network. However if ipsec
> policies have been defined that "require" ipsec negotiation to a domain
> resource, then their access will fail due to their computer not being able
> to authenticate via kerberos. --- Steve
>
> wrote in message
> news:2381f01c45e8d$ef207d20$a401280a@phx.gbl...
> > Dear Sir/Madam,
> >
> > I got an enquiry from my customer regarding security
> > setup. I am developing a system which accept single sign-
> > on. It means if the user can logon to the network and
> > have security level to touch different server. He/She can
> > use different systems, e.g. CRM, MIS .
> >
> > The customer claims that there is a way to bypass the user
> > ID and password in the network in order to use all the
> > resource and systems in the network.
> >
> > Someone can disconnect a PC physically from the network.
> > He/She created a domain and user ID in the PC, which same
> > as the domain and user ID in the network. Then, he/she
> > logon the domain and user ID in the PC. He/she can
> > connect the PC to the network again. Finally, he/she can
> > access all the resources in the network.
> >
> > Best Regards,
> >
> > Martin.
> >
>
>
>

Steven Umbach

If the password is different and they do not know the password of the domain
account they will be denied access. --- Steve

"Martin." wrote in message
news:A10F06FB-27B4-4853-A256-BB6D1F573DE5@microsoft.com...
> Dear Steven,
>
> If the password in local domain is different from the domain one, can people
be granted the access to the network resources ?
>
> Best Regards,
>
> Martin.
>
> "Steven L Umbach" wrote:
>
> > A user can access resources on a domain network if they have a local user
> > account on a non domain computer that has the same logon/password as a
> > domain account, and of course connectivity to the network. However if ipsec
> > policies have been defined that "require" ipsec negotiation to a domain
> > resource, then their access will fail due to their computer not being able
> > to authenticate via kerberos. --- Steve
> >
> > wrote in message
> > news:2381f01c45e8d$ef207d20$a401280a@phx.gbl...
> > > Dear Sir/Madam,
> > >
> > > I got an enquiry from my customer regarding security
> > > setup. I am developing a system which accept single sign-
> > > on. It means if the user can logon to the network and
> > > have security level to touch different server. He/She can
> > > use different systems, e.g. CRM, MIS .
> > >
> > > The customer claims that there is a way to bypass the user
> > > ID and password in the network in order to use all the
> > > resource and systems in the network.
> > >
> > > Someone can disconnect a PC physically from the network.
> > > He/She created a domain and user ID in the PC, which same
> > > as the domain and user ID in the network. Then, he/she
> > > logon the domain and user ID in the PC. He/she can
> > > connect the PC to the network again. Finally, he/she can
> > > access all the resources in the network.
> > >
> > > Best Regards,
> > >
> > > Martin.
> > >
> >
> >
> >