('binary' encoding is not supported, stored as-is) Microsoft's IIS server allows for an integrated authentication method which allows users within an intranet environment to sign-on automatically with "pass-through authentication" to servers set for Integrated Windows Authentication. This works if users are logged into a workstation in the same domain with the intranet server they are accessing. In this system, the user's current logon credentials on their workstation are compared to the server-retrieved credentials for the user. If the hashes match and the user has rights to the directory, they are in without a password prompt. The following article provides additional details: http://msdn.microsoft.com/library/default.asp?url=/library/en- us/comsrv2k/htm/cs_gs_security_xmky.asp According to the Microsoft documentation, the only way for a user from another domain to be able to use this method is for the two domains to be trusted in some way. I happen to have a multiple Windows 2000 Active Directory forest situation, and I found a way to get user credentials from a completely untrusted domain into a site protected by this system. I have two separate Active Directory forests; one in an external network and one in an internal RFC1918 network. There are two different DNS domains (matching the AD domain names) for these networks, one public and one internal. Both forests have the same NetBIOS name. The NetBIOS domain name is used in the Integrated Windows Authentication method as the user ID prefix - <domain>\<user ID>. I placed a set of user credentials in both domains with matching ID (sAMAccountName) and password. I placed a test IIS Web server protected with Integrated Windows Authentication in the internal network domain. I configured an IE Web browser on a client in the external domain with the internal site as a trusted site. I was then able to access the entire internal site from the external, non- trusted workstation without a password prompt. Now, the chances of a real-world exploit coming from this are slim. I would still have to fully compromise a user and password and gain network access to the protected resource. However, once these were accomplished, I could spoof a given user very easily and make it look like I was from a trusted domain.
This archive was generated by hypermail 2b30 : Fri Apr 25 2003 - 14:11:10 PDT