#1
  1. life is joy, don't waste it !
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2004
    Location
    :: behind the border ::
    Posts
    360
    Rep Power
    13

    Local Administrator can connect to Domain


    Hi,

    I have a domain managed by Windows Server 2003 Std Ed .

    Recently I removed a computer (Windows 7 Pro) from the domain.
    I was shock when I discovered that the Local Administrator from that removed PC , had actually access to the domain shared files, as a Domain Administrator.

    That means, any computer connected to the network, not even beloging to the Domain, is able to get access to my Domain resources just with their local Administrator Account.

    Seems that the domain is considering the Local Administrator as an Domain Administrator. but the Computer is not even member of the Domain ! so what's going on ?

    I'm expacting that computers not belonging to a Domain, should not even able to see any shared resources by a domain which is not member of.

    Can somebody tell me what's going on ?

    Is this a problem with Windows 7 Client/Server 2003 compatibility?

    How can I find the insecurity hole causing this ?

    Thanks
    Let us rm -rf our weaknesses.
  2. #2
  3. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2004
    Posts
    355
    Rep Power
    166
    What makes you think an un-authenticated user is connecting to this share as a "Domain Admn." The user is most likely connecting to an open share because you are sharing the folder to the everyone group.On 2003 server The everyone group means everyone.You should be restricting your share to the "Domain Users" group Or The "Authenticated users" group of your domain if you dont want everyone to see them. I personaly use the everyone group on my shares, then lock down the folders and files with NTFS permissions.
  4. #3
  5. 'fie' on me, allege-dly
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2003
    Location
    in da kitchen ...
    Posts
    12,890
    Rep Power
    6444
    Does the Domain admin and the local admin share the same password?

    Comments on this post

    • TheJim01 agrees
    --Ax
    without exception, there is no rule ...
    Handmade Irish Jewellery
    Targeted Advertising Cookie Optout (TACO) extension for Firefox
    The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones


    09 F9 11 02
    9D 74 E3 5B
    D8 41 56 C5
    63 56 88 C0
    Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems.
    -- Jamie Zawinski
    Detavil - the devil is in the detail, allegedly, and I use the term advisedly, allegedly ... oh, no, wait I did ...
    BIT COINS ANYONE
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2004
    Posts
    355
    Rep Power
    166
    Originally Posted by Axweildr
    Does the Domain admin and the local admin share the same password?
    how would the sids match up even with the same password
  8. #5
  9. No Profile Picture
    Grumpier old Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2003
    Posts
    14,449
    Rep Power
    4539
    what local administrator account? Usually the built-in local administrator account is hidden from the login screen.
    ======
    Doug G
    ======
    Bartender to Rene Descartes "have another beer?" Descartes: "I think not" and he vanished.
    --Alfred Bester
  10. #6
  11. 'fie' on me, allege-dly
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2003
    Location
    in da kitchen ...
    Posts
    12,890
    Rep Power
    6444
    The SIDS don't need to match up, when you request access it authenticates with username and password
    --Ax
    without exception, there is no rule ...
    Handmade Irish Jewellery
    Targeted Advertising Cookie Optout (TACO) extension for Firefox
    The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones


    09 F9 11 02
    9D 74 E3 5B
    D8 41 56 C5
    63 56 88 C0
    Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems.
    -- Jamie Zawinski
    Detavil - the devil is in the detail, allegedly, and I use the term advisedly, allegedly ... oh, no, wait I did ...
    BIT COINS ANYONE
  12. #7
  13. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2004
    Posts
    355
    Rep Power
    166
    Originally Posted by Axweildr
    The SIDS don't need to match up, when you request access it authenticates with username and password
    I see your point but but this isnt simple file sharing, what would cause a non domain computer to respond with the proper ntlm hash

    correctdomainname\administrator

    or Kerberos

    administrato@correctdomainname.
    To be authenticated as a Domain Admin
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Regular (2000 - 2499 posts)

    Join Date
    Sep 2003
    Location
    Oregon
    Posts
    2,157
    Rep Power
    934
    if you go into AD mmc and look at administrator you will see it is a member of domain admins.
  16. #9
  17. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2004
    Posts
    355
    Rep Power
    166
    Originally Posted by wanderer2
    if you go into AD mmc and look at administrator you will see it is a member of domain admins.
    I donít think anyone is denying an Administrator account exists on the domain or that it is a member of the Domain Admins group.

    The question is would or could you. On a computer not belonging to that domain get authenticated to a shared folder, as that Domain Administrator, just because your local computer Administrator account has the same password as the domain Administrator account.
    And the answer is NO
    A non domain computer would not be responding with the correct user account info to satisfy a Domain login authentication challenge.

    The only sticky part here is that this computer used to belong to this domain. There may be some unusual cached ID info. Or the computed didnít get removed from the domain at all.
  18. #10
  19. 'fie' on me, allege-dly
    Devshed Supreme Being (6500+ posts)

    Join Date
    Mar 2003
    Location
    in da kitchen ...
    Posts
    12,890
    Rep Power
    6444
    try it and see, if you wanted to connect, for example, a windows 98 machine to an NT network, you'd open a share on the server/XP host, and set the credentials on the 98 box to *BAD IDEA ALERT* the administrator */BAD IDEA ALERT* of the host machine, no credentials on the 98 box apart from that, network name might help, at least that's how I remember it ...
    --Ax
    without exception, there is no rule ...
    Handmade Irish Jewellery
    Targeted Advertising Cookie Optout (TACO) extension for Firefox
    The great thing about Object Oriented code is that it can make small, simple problems look like large, complex ones


    09 F9 11 02
    9D 74 E3 5B
    D8 41 56 C5
    63 56 88 C0
    Some people, when confronted with a problem, think "I know, I'll use regular expressions." Now they have two problems.
    -- Jamie Zawinski
    Detavil - the devil is in the detail, allegedly, and I use the term advisedly, allegedly ... oh, no, wait I did ...
    BIT COINS ANYONE
  20. #11
  21. No Profile Picture
    Grumpier old Moderator
    Devshed Supreme Being (6500+ posts)

    Join Date
    Jun 2003
    Posts
    14,449
    Rep Power
    4539
    I use a local user account from non-domain workstations that matches my domain user account name and password, and have no problems using any network file resources from any domain machines. If you have a domain user 'Administrator', and a local user 'Administrator' on a non-domain computer, and the passwords match, domain file resources should be available to the non-domain admin user.

    oh, the non-domain computer needs to be in a workgroup named the same as the domain name.

    I don't know about other than file resources, other programs may not authenticate without the domain name part of the username.
    ======
    Doug G
    ======
    Bartender to Rene Descartes "have another beer?" Descartes: "I think not" and he vanished.
    --Alfred Bester
  22. #12
  23. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Aug 2004
    Posts
    355
    Rep Power
    166
    I agree Doug, and I also use a local user account from non-domain workstations that matches my domain user account name and password, and I too have no problems using any network file resources from any domain machines. But these are open file and folder resources. As soon as I try to access a non public share I get prompted for a user name password, as I would expect. As I stated in my original post to the OP getting access to a public file or folder doamin resource is not the same as being authenticated and being granted the access token for the "DOMAIN Admin account".
    You are logged in as a guest to an open or public file or folder resource.

    This is all moot anyway since the OP seems to no longer be participating in this thread.

    Try adding a account that doesnt match a domain account, to your non domin computer and see if you can access the same resources. You should ba able to.
  24. #13
  25. No Profile Picture
    Registered User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Dec 2012
    Posts
    1
    Rep Power
    0

    Exclamation Domain name makes no difference


    Guys, I have been playing with this issue for awhile. Here is the accurate description of the problem:
    when you try to access your domain servers/computers using matching user name and password, domain name/membership makes no difference. It doesn't work only on domain controllers, all other servers/commputers are fully accessible, despite the logical assumption that user name, requesting access should include domain name as well. But in reality it doesn't.
    In another words:
    1) you have domain MYCOMPANY;
    2) you have server MYFILESERVER, which is a member of MYCOMPANY domain;
    3) MYFILESERVER has a local account ADMINISTRATOR with password "itadmin";
    4) you have Windows 7 computer MYPC without domain membership;
    5) MYPC has a local account ADMINISTRATOR with password "itadmin";
    6) From here on you can access ANY resource on MYFILESERVER with full access, simply because you have matching user name and password. Technically Windows should let you in only if you are connecting as MYCOMPANY\ADMINISTRATOR or MYFILESERVER\ADMINISTRATOR, but in reality it allows you in with ADMINISTRATOR, MYPC\ADMINISTRATOR or ANYTHING\ADMINISTRATOR. And yes, administrative share \\MYFILESSERVER\C$ is accessible this way with full control, because you are connected to that server as local admin!
    Apparently this is security breach on Microsoft's end. Maybe this is why Microsoft keeps local Administrator's account disabled in Windows 7 by default.
  26. #14
  27. Lounge Troll
    Devshed Loyal (3000 - 3499 posts)

    Join Date
    Jun 2004
    Location
    Austin, TX
    Posts
    3,469
    Rep Power
    667
    Originally Posted by rome191
    Technically Windows should let you in only if you are connecting as MYCOMPANY\ADMINISTRATOR or MYFILESERVER\ADMINISTRATOR, but in reality it allows you in with ADMINISTRATOR, MYPC\ADMINISTRATOR or ANYTHING\ADMINISTRATOR.
    If you connect to a domain resource it is going to assume when you put in administrator, it is referring to the domain it's on so it assume <domainname>\administrator and not the local computer's administrator account.
    Codeinated

IMN logo majestic logo threadwatch logo seochat tools logo