[wpkg-users] security issues
Tomasz Chmielewski
mangoo at wpkg.org
Tue Jun 5 14:48:10 CEST 2007
Brian May schrieb:
>>>>>> "Tomasz" == Tomasz Chmielewski <mangoo at wpkg.org> writes:
>
> Tomasz> Well, perhaps it suffices if WPKG service is started as a
> Tomasz> domain user, or WPKG path uses domain user credentials.
>
> Tomasz> Then, Windows should take care of all security issues for
> Tomasz> us - no need to reinvent anything here, if the operating
> Tomasz> system already does it?
>
> Tomasz> And Brian - what kind of tests did you really make?
>
> Unfortunately not.
>
> I setup a Samba server, not in a domain, and configured to map any bad
> password to the guest user, with the same name as a server that was in
> the domain.
>
> The client computer was a domain member and logged into the domain.
>
> I ensured that the genuine server was off-line, and from the client
> computer, I established a connection to the fraudulent server.
>
> Windows did not offer any errors or warnings that the computer I was
> connecting to was fraudulent or that it was connecting as a guest user
> instead of the (expected) authenticated user.
Well, so it's your setup's fault - mapping bad users/passwords is not a
recommended habit...
Would the same scenario work if you didn't map bad user/password to guest?
--
Tomasz Chmielewski
http://wpkg.org
wpkg-users mailing list
wpkg-users at lists.wpkg.org
http://lists.wpkg.org/mailman/listinfo/wpkg-users
More information about the wpkg-users
mailing list