Link to home
Create AccountLog in
Avatar of Pau Lo
Pau Lo

asked on

Domain Passwords - Internal Only Risk?

A recent pen test showed some of our more powerful domain admin accounts had weak passwords, in that they were “joe” accounts, where basically username = password. This was quantified as an “internal only” risk, but is that true? Could a weak domain password be used outside the perimeter firewall to gain unauthorised access to our Network? What about weak local passwords on web servers housed in the DMZ, can these be targeted also?

How can you tell if the risk is internal only, would you need to run port scans on servers in DMZ to see if they accept windows authentication? What ports would we be looking for? What kind of web services may use domain credentials as authentication? Can you provide any examples in your orgs?
ASKER CERTIFIED SOLUTION
Avatar of Glen Knight
Glen Knight
Flag of United Kingdom of Great Britain and Northern Ireland image

Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
See answer
Avatar of Pau Lo
Pau Lo

ASKER

Yup, it is a joke but our current FM provider claim it was those setup by previous FM provider, and some of these have pwds that dont expire also.

What about citrix? Does that authenticate via domain credentials. Webmail (such as outlook web access) would be to a user tho wouldnt it, I suspect domain admins dont have mailboxes assigned to these accounts, or are domain admins typically able to access any mailbox?
>>>What about citrix? Does that authenticate via domain credentials
Yes, it uses Domain Credentials.

>>Webmail (such as outlook web access) would be to a user tho wouldnt it
Yes it would, but if they do have mailboxes could they be used for authenticated SPAM?

>>or are domain admins typically able to access any mailbox
Not by default, but there is no reason why this couldn't be configured?
Avatar of Pau Lo

ASKER

Thanks. Can you ellborate on "authenticated SPAM".

I suppose one saving grace is they would also need usernames, our corporae mailboxes follow format:

forename.surname@company.com

where domain usernames are surnameinitialfornameinitial, so how can they (malicious bad guy) find the usernames of domain accounts/
well by default Exchange doesn't allow spamming, however any user that authenticates can send emails to any destination.

Therefore if you have a valid username and password (regardless of if it is domain admin) then you can send emails via your exchange server.  It doesn't even need to come frmo a valid recipient.
Avatar of Pau Lo

ASKER

>>Potentially, it depends how "strict" your firewall is

Are you saying some badly configured firewalls may have ports open whereby outsiders could try typical windows authentication onto web servers in a DMZ? What ports would be open for such type of access being available to the outside, where they could use a weak local or domain password? I am sure on a sharepoint server I have seen a windows type authentication box popup before.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
Link to home
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
Avatar of Pau Lo

ASKER

How can domain passwords be targetted on phone lines? Could you clarify?
if you have a fax line directly connected to your server, or a 2ndary fax server on your network...
Avatar of Pau Lo

ASKER

How does the fax process work, I have not actually sent a fax in my life, I thought it was similar to making a cellphone call, just dial up a number, where does the domain account come into it? Thanks