Hi hong!
On Wed, 02 Jul 2003, hong li wrote:
> If you use the same password for the local
> administrator on workstations
> as all other servers's local administrator, (even
> domain administrator),the local administrator can gain
> full access to any servers without asking
> domain info if you logon locally using local
> administrator account. You even can map to
> \\servername\c$ whihout asking any domain users info.
>
> I recalled this never happenes in NT environment and
> it always pops you doamin userinfo when you access any
> server in the doamin if you log on locally.
>
> Is this the security hole in Windows 2000 environment
> or something else?
My guess is that this is caused by the servers falling back to NTLM
authentication. That means the remote server just authenticates the
local admin's username and password.
If my gues s right it really is an opening left there by design, but I
think you can limit its effect by
1. using different passwords, as you suggest
2. changing the server security policy to prevent falling back to
weaker authentication
Test carefully that your fixes work as NT5 authentication is quite
complex.
hope this helps
---------------------------------------------------------------------------
Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts!
The Gartner Group just put Neoteris in the top of its Magic Quadrant,
while InStat has confirmed Neoteris as the leader in marketshare.
Find out why, and see how you can get plug-n-play secure remote access in
about an hour, with no client, server changes, or ongoing maintenance.
Visit us at: http://www.neoteris.com/promos/sf-6-9.htm
----------------------------------------------------------------------------
