On 6/25/06, joe <[EMAIL PROTECTED]> wrote:
Err, maybe you can fill in more detail. I am not quite sure what you are saying. Are you saying there is a generic ID to log into the website and it can reset anyone's password or are you saying there is a generic ID with rights to reset anyone's password or ????Either of those solutions wouldn't be optimal and I would love to work in that company for a day with that implemented and have people point out who the dumbass managers were... Or at least their IDs. <eg>Oh I just read that again, is this an idea to give a userid/password to everyone so they can get past the GINA and get to the self service website?
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of AWS
Sent: Sunday, June 25, 2006 6:35 PM
To: [email protected]
Subject: [ActiveDir] pw reset domain account
There's a proposal at my company for a self service password reset website which uses a shared domain account. It's similar to a kiosk configuration, but the intent is to publicize the account and password so that it can be used from any users' pc when needed.They have an account-specific OU/GPO configuration which locks down the typical stuff you would expect, but my position is that there are too many unknown vectors for such an account to be abused.Since I don't dabble in the various black hat utils du jour, does anyone have any thoughts on how a globally known domain account could be hacked upon? Conversely, is there any way such an account could be effectively locked down?Thanks,AW
