Vulnerability Development mailing list archives

Re: NT 4.0 (Workstation) Logon Authentication Vulnerability

From: Phil.Cox () SYSTEMEXPERTS COM (Phil Cox)
Date: Tue, 14 Mar 2000 23:17:58 -0800

Problem:  I believe WinNT may cache user passwords.  This
allows a user to disconnect a terminal from the network and
login to the workstation locally without being
authenticated by the PDC or BDC.


Well known "feature"

Vulnerability:  A malicious user may disconnect a machine
from the network and add/remove software without being
audited by the PDC/BDC.  Also, a user who has been deleted
from the domain users list may still have access to a
machine which he/she had used in the past.


Yep, but they still only have whatever rights and permissions they had before.

FIX: Set the following registry value to 0.
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\CachedLogonsCount

This will disable cached logons. If you do this for your mobile users, they will probably string you up, as they won't 
be able to logon if not connected to the domain ;(

Phil
--------------------------------------------
SystemExperts Corporation
Philip C. Cox, Consultant

+1 (888) 749-9800 (Corp HQ, toll free, USA only)
+1 (209) 830-0595 (main)
+1 (209) 830-0594 (fax)
http://www.SystemExperts.com/

Current thread:

Re: spoofing the ethernet address, (continued)
- Re: spoofing the ethernet address Buhrmaster, Gary (Mar 06)
- Re: spoofing the ethernet address Pauli Ojanpera (Mar 06)
  - Re: spoofing the ethernet address Ex Machina [xm] (Mar 07)
    - Re: spoofing the ethernet address Dimitrios Petropoulos x9234 Singer / 4 (Mar 08)
    - [Q] CORBA, IIOP Simon Tamás (Mar 08)
    - Unwanted automagic processing (Was: Re: [Q] CORBA, IIOP) Mikael Olsson (Mar 09)
    - Re: Unwanted automagic processing (Was: Re: [Q] CORBA, IIOP) Nicolas Justin (Mar 10)
    - Re: Unwanted automagic processing (Was: Re: [Q] CORBA, IIOP) Liviu Daia (Mar 10)
    - MS Frontpage shtml.dll Path Leak Vulnerability Greg (Mar 12)
    - NT 4.0 (Workstation) Logon Authentication Vulnerability jhw1970 () HOTMAIL COM (Mar 14)
    - Re: NT 4.0 (Workstation) Logon Authentication Vulnerability Phil Cox (Mar 14)
    - Re: NT 4.0 (Workstation) Logon Authentication Vulnerability Maxime Rousseau (Mar 15)
    - Re: MS Frontpage shtml.dll Path Leak Vulnerability Marc (Mar 14)
    - Re: Unwanted automagic processing (Was: Re: [Q] CORBA, IIOP) Simon Tamás (Mar 13)
    - (another) MS Outlook hole in embedded metafiles? Michael Wojcik (Mar 08)
    - Re: spoofing the ethernet address Pavel Kankovsky (Mar 09)
    - Extending the FTP "ALG" vulnerability to any FTP client Mikael Olsson (Mar 10)
    - DoS in ArGoSoft FTP Server, Version 1.04 (1.0.4.4) for win* Knud Erik Hřjgaard (Feb 11)
    - Re: Extending the FTP "ALG" vulnerability to any FTP client Dug Song (Mar 11)
    - Security auditing of network infrastructure Martin M Samson (Mar 11)
    - information being stored from cgi forms Bob Johnson (Mar 10)

(Thread continues...)