Not a vendory type person, but the password reset tools that I have seen do indeed use a hook into the GINA to provide a way to hit the password reset utility without logging on to the workstation.
This may not be an ideal solution to implement now though since my understanding is that the GINA is no longer there in Vista. I am sure these vendors will find another way to do it, but these particular versions likely wont work immediately with Vista.
Phil
On 6/25/06, Laura E. Hunter <[EMAIL PROTECTED]> wrote:
I don't even need to give you a "black hat tool" scenario, just a human one:
You're checking your Event Logs one day and see that
DOMAIN\SharedAccount has accessed a file share that it shouldn't have.
Given the fact that everyone in your enterprise has the password for
DOMAIN\SharedAccount, how are you going to determine who did it?
Since there's no way to do so, you reset the SharedAccount password
and re-communicate it to your userbase. (How are you doing that, by
the way? The method to do so will unavoidably be either [a] awful to
manage, [b] inherently insecure in itself, or more than likely both.)
Then you're monitoring your log files a few days later and notice that
the SharedAccount account has accessed another file share that it
shouldn't have. Given the fact that everyone in your enterprise has
the password for SharedAccount, how are you going to determine who did
it? Since there's no way to do so, you...
...repeat until insane.
I'm being humourous in my response, but please don't let that take
away from the larger point, which is that that's a horribly insecure
way to implement a solution like that - if that were the vendor's
"recommended" implementation, I'm thinking I'd run -far- in the
opposite direction.
Don't the Quest and/or NetPro self-service password tools write a hook
into the GINA to alleviate the "I don't know my password, so how do I
log on to reset my password?" question? *waits patiently for a
vendory-type person on the list to fill in details I don't have*
Laura
On 6/25/06, AWS <[EMAIL PROTECTED]> wrote:
>
> There's a proposal at my company for a self service password reset website
> which uses a shared domain account. It's similar to a kiosk configuration,
> but the intent is to publicize the account and password so that it can be
> used from any users' pc when needed.
>
> They have an account-specific OU/GPO configuration which locks down the
> typical stuff you would expect, but my position is that there are too many
> unknown vectors for such an account to be abused.
>
> Since I don't dabble in the various black hat utils du jour, does anyone
> have any thoughts on how a globally known domain account could be hacked
> upon? Conversely, is there any way such an account could be effectively
> locked down?
>
> Thanks,
> AW
--
-----------------------
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
