Win2k Domain accts vs local computer accts

Discussion in 'other security issues & news' started by ThatGuy, Nov 12, 2003.

Thread Status:
Not open for further replies.
  1. ThatGuy

    ThatGuy Registered Member

    Joined:
    Nov 12, 2003
    Posts:
    2
    Hi all,

    Just stumbled upon something here at work that totally threw me for a loop. Brought this up to our head SysAdmin, and he told ME to figure it out..lol I thought we had things on pretty good lockdown here until today. We have a domain here at work, lets just call it DOMAIN. All computers and users are joined to DOMAIN with specific passwords for each account.

    We have a few laptops here that our salesmen use here and away from the office. So they also have the option (when away from the office) to still log into the computer (but locally on the machine, not to DOMAIN.) For simplicity, we have them using the same password (hey they are in sales). :rolleyes:

    Long story short... sorry.
    I had a sales laptop here, plugged it into our network, logged in locally on the machine, not DOMAIN. I was still however able to access mapped drives on my Domain Controllers via UNC name\share

    Isn't this the whole point of having a secured win2k domain? or is it just because of the passwords being the same as they log in locally instead of onto the domain?
    Any ideas how I can make them only access the stuff on the domain ONLY when they are logged into the domain? There has to be something else instead of giving them a new local password?

    Thanks in advance for help
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    It'd be easy enough to test your domain security... On one of those laptops running standalone, create a test user ID that does not exist on the domain. Shutdown it down, plug into the LAN, boot and log in to that local account on the laptop and see if you still get access to domain resources. You shouldn't be able to under these conditions.
     
  3. ThatGuy

    ThatGuy Registered Member

    Joined:
    Nov 12, 2003
    Posts:
    2
    Well, I think it is just due to the SID for the acct. It is checking that auth on the dc, and letting it pass by.. there has to be something to tighten that up.

    For now I just made the laptops have 2 different profiles on startup.

    I have to keep looking! Thanks for the insight.

    ~
     
Loading...
Thread Status:
Not open for further replies.