Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Re: Re: SecurID with Active Directory ?
From: "Morning Wood" <se_cur_ity () hotmail com>
Date: Tue, 10 Jan 2006 23:17:34 -0800

[If, for instance, you really need to completely eliminate access via
passwords, you could use some programmatic method (i.e., Visual Basic) to
set your users' Windows passwords to very long, random passwords that
never expire. The password change would be captured on the DC and sent to
the ACE/Server. The long, random passwords would then be
provided with each authentication (and recovered when offline), but the

 I belive you are meaning a custom VB login.exe at every user station?

users will never know their Windows password.

unless of course they take to time to look in the custom vb login.exe
application,
where the user/pass is stored in clear text. This would also be a point of
attack
if the exe were ever to escape outside infrastructure controls. ( I bring
this up as
this exact vector was used successfully in a pentest, the exe asked for a
user/pass,
the application then allowed access to the ftp server and its credentials
were stored cleartext
in the exe. The developer belived he could hide the actual ftp process from
the end user so
they did not need to set up user accounts on the ftp server and using the
exe to validate
against an asp server, thus allowing the application to validate and run. )

although not quite the scenario you describe, i believe the implications
would be the same.
of course, I could be completely off base

MW
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]