Re: WINS attack?

[j.hall () F5 COM (John Hall)]

It's as easy as renaming your NT Workstation.  A couple years ago, I was
Network Manager at Siemens Medical Systems - Ultrasound Group in Issaquah,
WA.  Our entire NT domain was hijacked by a lab tech in Denmark who decided
to change the name of his NT Workstation to be the same as our PDC.  Siemens
has super-glued its cart firmly to Microsoft's ass and decreed that all
Siemens companies world-wide would link their WINS servers.  Well, guess
what?  There's a single namespace for ALL administratively connected WINS
servers and for some reason, our local WINS server decided that the lab
tech in Denmark deserved that name more than we did.  We were fully down
for about a day, until I convinced our NT admins to break the WINS link,
then we had to go through some nasty processes to clear out our local WINS
tables and caches (basically turn off every Windows box on the network at
once).  It was not pretty!

Siemens short term plan was to force a node naming scheme which guaranteed
globally unique eight character node names (also, BTW limiting each site
to 499 nodes, but that was an inconsequential detail, I was told!)  I'm
pretty sure they never implemented this plan world-wide.

This incident and the way our parent company handled it when they found
we had broken the link was one of the primary reasons I decided to find
a more cluefull employer.

Bryce Walter wrote:
> Has anybody looked at the possibility of stealing WINS registrations?
...
> regards,
> Bryce Walter

--
John Hall <j.hall () f5 com>                                     F5 Networks, Inc.
Senior Test Engineer                                          206-505-0800

Never eat anything bigger than your head.