Re: NT 4.0 (Workstation) Logon Authentication Vulnerability

[andrej () KTU EDU (andrej () KTU EDU)]

The Winnt caching username and password as well as user rights, thats mean,
the workstation store user registry and user rights and basically user is
being authenticated only once when he(she) login. So there are NO
authentications done while user is logged on. The different thing is if user
is deleted. in that case i recommend a domain admins to enable roaming
profiles and don't let users to login if roaming profile fails. This really
helps.

   Sincerely,

--Andrejus Stavickis (MCP, MCP+I, MCSE, MCSD, MCDBA)
KTU SC UESM
Studentu 48a-203
Kaunas, 3028
LITHUANIA
phone: +370 7 300633
Cellular phone: +370 87 15664
fax: +370 7 352995
ICQ: 2402709

> -----Original Message-----
> From: jhw1970 () HOTMAIL COM [mailto:jhw1970 () HOTMAIL COM]
> Sent: Tuesday, March 14, 2000 3:19 PM
> To: VULN-DEV () SECURITYFOCUS COM
> Subject: NT 4.0 (Workstation) Logon Authentication Vulnerability
>
>
> Scenario:  User logon to WinNT domain.
>
> Problem:  I believe WinNT may cache user passwords.  This
> allows a user to disconnect a terminal from the network and
> login to the workstation locally without being
> authenticated by the PDC or BDC.
>
> Vulnerability:  A malicious user may disconnect a machine
> from the network and add/remove software without being
> audited by the PDC/BDC.  Also, a user who has been deleted
> from the domain users list may still have access to a
> machine which he/she had used in the past.