<<< Note insane ramblings follow. These are off the top of my head and un-tested>>>
If the user name and password are know then there are a whole host of places you can use the account to conceal your identity. If the user can logon with it then it must have "logon locally" rights. Wonder if you can pop a "CMD" window then you can use it in "runas" credentials? Then isn't there a dodge (left shift key) so that you bypass the startup programs thingy and so avoid the web page loading? If its going to ask questions then presumably it needs rights somewhere else, so is going to have "logon via the network" rights as well, nice that... Not sure that you could stop users finding the "magic web site" address, could they than start tampering from there? Sounds like a real hackers heaven.... Dave. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rob MOIR Sent: 26 June 2006 16:28 To: [email protected]; [email protected] Subject: RE: [ActiveDir] pw reset domain account What sort of questions? If you ask people to pick a secret question then you'll get poor quality questions: Q. QWERTY A. UIOP Or poor quality questions: DOB? (My friends at work know how old I am, and what day my birthday is). Q. What sports team do I support? A. Right like it isn't obvious from the way I was moaning about their play yesterday. Or questions that anyone trying to hack a specific important account couldn't discover. Q. What was my first grade teacher A. Like this isn't documented on Friends Reunited and every silly myspace quiz you ever took. Sorry to sound like I'm beating you up on this quite so much, but I've been down this road already and I'm trying to save you some pain. Couple of further questions: What will you do if someone forgets the special password resetting account's details? Hopefully they won't actually be logging in THAT often. What's to stop a 'random passer by' getting on a terminal and playing with this account? -----Original Message----- From: [EMAIL PROTECTED] on behalf of AWS Sent: Mon 26/06/2006 15:34 To: [email protected] Subject: Re: [ActiveDir] pw reset domain account Yes, the latter. This is an account a user would use to login with, then the pw reset website would automatically run. The website has challenge/response Q's for them to get their individual acct reset. On 6/25/06, joe <[EMAIL PROTECTED]> wrote: > > Err, maybe you can fill in more detail. I am not quite sure what you > are saying. Are you saying there is a generic ID to log into the > website and it can reset anyone's password or are you saying there is > a generic ID with rights to reset anyone's password or ???? > > Either of those solutions wouldn't be optimal and I would love to work > in that company for a day with that implemented and have people point > out who the dumbass managers were... Or at least their IDs. <eg> > > Oh I just read that again, is this an idea to give a userid/password > to everyone so they can get past the GINA and get to the self service website? > > -- > O'Reilly Active Directory Third Edition - > http://www.joeware.net/win/ad3e.htm > > > > ------------------------------ > *From:* [EMAIL PROTECTED] [mailto: > [EMAIL PROTECTED] *On Behalf Of *AWS > *Sent:* Sunday, June 25, 2006 6:35 PM > *To:* [email protected] > *Subject:* [ActiveDir] pw reset domain account > > > There's a proposal at my company for a self service password reset > website which uses a shared domain account. It's similar to a kiosk > configuration, but the intent is to publicize the account and password > so that it can be used from any users' pc when needed. > > They have an account-specific OU/GPO configuration which locks down > the typical stuff you would expect, but my position is that there are > too many unknown vectors for such an account to be abused. > > Since I don't dabble in the various black hat utils du jour, does > anyone have any thoughts on how a globally known domain account could > be hacked upon? Conversely, is there any way such an account could be > effectively locked down? > > Thanks, > AW > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx ********************************************************************** This email and any files transmitted with it are confidential and intended solely for the use of the individual or entity to whom they are addressed. As a public body, the Council may be required to disclose this email, or any response to it, under the Freedom of Information Act 2000, unless the information in it is covered by one of the exemptions in the Act. If you receive this email in error please notify Stockport e-Services via [EMAIL PROTECTED] and then permanently remove it from your system. Thank you. http://www.stockport.gov.uk ********************************************************************** List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.activedir.org/ml/threads.aspx
