Pau Lo
asked on
Domain Passwords - Internal Only Risk?
A recent pen test showed some of our more powerful domain admin accounts had weak passwords, in that they were “joe” accounts, where basically username = password. This was quantified as an “internal only” risk, but is that true? Could a weak domain password be used outside the perimeter firewall to gain unauthorised access to our Network? What about weak local passwords on web servers housed in the DMZ, can these be targeted also?
How can you tell if the risk is internal only, would you need to run port scans on servers in DMZ to see if they accept windows authentication? What ports would we be looking for? What kind of web services may use domain credentials as authentication? Can you provide any examples in your orgs?
How can you tell if the risk is internal only, would you need to run port scans on servers in DMZ to see if they accept windows authentication? What ports would we be looking for? What kind of web services may use domain credentials as authentication? Can you provide any examples in your orgs?
ASKER CERTIFIED SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
>>>What about citrix? Does that authenticate via domain credentials
Yes, it uses Domain Credentials.
>>Webmail (such as outlook web access) would be to a user tho wouldnt it
Yes it would, but if they do have mailboxes could they be used for authenticated SPAM?
>>or are domain admins typically able to access any mailbox
Not by default, but there is no reason why this couldn't be configured?
Yes, it uses Domain Credentials.
>>Webmail (such as outlook web access) would be to a user tho wouldnt it
Yes it would, but if they do have mailboxes could they be used for authenticated SPAM?
>>or are domain admins typically able to access any mailbox
Not by default, but there is no reason why this couldn't be configured?
ASKER
Thanks. Can you ellborate on "authenticated SPAM".
I suppose one saving grace is they would also need usernames, our corporae mailboxes follow format:
forename.surname@company.c om
where domain usernames are surnameinitialfornameiniti al, so how can they (malicious bad guy) find the usernames of domain accounts/
I suppose one saving grace is they would also need usernames, our corporae mailboxes follow format:
forename.surname@company.c
where domain usernames are surnameinitialfornameiniti
well by default Exchange doesn't allow spamming, however any user that authenticates can send emails to any destination.
Therefore if you have a valid username and password (regardless of if it is domain admin) then you can send emails via your exchange server. It doesn't even need to come frmo a valid recipient.
Therefore if you have a valid username and password (regardless of if it is domain admin) then you can send emails via your exchange server. It doesn't even need to come frmo a valid recipient.
ASKER
>>Potentially, it depends how "strict" your firewall is
Are you saying some badly configured firewalls may have ports open whereby outsiders could try typical windows authentication onto web servers in a DMZ? What ports would be open for such type of access being available to the outside, where they could use a weak local or domain password? I am sure on a sharepoint server I have seen a windows type authentication box popup before.
Are you saying some badly configured firewalls may have ports open whereby outsiders could try typical windows authentication onto web servers in a DMZ? What ports would be open for such type of access being available to the outside, where they could use a weak local or domain password? I am sure on a sharepoint server I have seen a windows type authentication box popup before.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
SOLUTION
membership
Create a free account to see this answer
Signing up is free and takes 30 seconds. No credit card required.
ASKER
How can domain passwords be targetted on phone lines? Could you clarify?
if you have a fax line directly connected to your server, or a 2ndary fax server on your network...
ASKER
How does the fax process work, I have not actually sent a fax in my life, I thought it was similar to making a cellphone call, just dial up a number, where does the domain account come into it? Thanks
ASKER
What about citrix? Does that authenticate via domain credentials. Webmail (such as outlook web access) would be to a user tho wouldnt it, I suspect domain admins dont have mailboxes assigned to these accounts, or are domain admins typically able to access any mailbox?