PHWinfo - Afficher un message

15/02/2007, 18h57

On Feb 15, 5:24 am, "dt" <dayt...@yahoo.com> wrote:
> Thank you for the reply!
>
> > I think you are thinking of a Master Browser role. There is no way
> > that machine can become a PDC, BDC or other member of a domain without
> > proper authentication.
>
> No, I was thinking about PDC. What I want is a way to be sure that
> nobody else will "fake" any user on my network and possibly do bad
> things - take their passwords, DoS or whatever else that is possible
> when one has the admin access to the PDC. I want to make sure that the
> machine I put in the PDC role is really the only machine that has this
> role and that noone can replace it with another machine that can
> become a PDC on my domain. What would happen if the power failure
> occurs, all machines go down, power comes back and all machines,
> together with the machine that tries to become the PDC, comes up
> first. As far as I could read from the link you gave, the domain
> master browser would be set to that "hacker" computer, because it will
> be online the longest time. From the middle of the text behind the
> link you gave: "Beyond that the election is based on the computer that
> is running the longest, then alphabetic order by computer name.". Is
> the same situation with PDC? How is PDC determined? If this is the
> case, then any power or network failure is a potential security hole.
> I am interested in security, not in being able to browse. I need a way
> to disallow some users to do something, so if I cannot be sure that my
> server is PDC, then this is not possible (or am I wrong about
> that?)...
>
> > For more info about netbios browsing, browser wars, and prolly more
> > than you want to know on the subject:
>
> >http://www.comptechdoc.org/os/window...snfinding.html
>
> I couldn't find anything here about PDCs, do you have any other link
> that might answer the previous question?
>
> Thanks again!

There can be only one PDC on a domain. The only way to make a machine
a PDC, or BDC for that matter, is to utilize a method similiar to what
Ray has described. Basically, you'd have to steal the logon
information for an administrative account that has the permissions to
join to the domain. Then the person would have to load windows on the
machine while connected to the network, since the only time you can
make a machine a bdc is during setup. The machine will have to be
loaded as a bdc to the existing domain. After the machine is built
and properly a member of the domain, it would then have to be promoted
to PDC, which requires communication with the existing pdc. if the
existing pdc is not available, like in your power outage scenario, the
promotion will still take place. Conflicts will arise however when
the original pdc comes back online.

If you're worried about this, why not by a managed switch? Turn off
the ports that are not in use, and enable port security on those that
are. That way, if the switch detects an unknown MAC address, the port
is turned off, and an alert will be sent to appropriate personnel.
And yes, you should put the switch in a secure physical location.

15/02/2007, 18h57	#5
Derek Messages: n/a Hébergeur:	Re: PDC & hackers On Feb 15, 5:24 am, "dt" <dayt...@yahoo.com> wrote: > Thank you for the reply! > > > I think you are thinking of a Master Browser role. There is no way > > that machine can become a PDC, BDC or other member of a domain without > > proper authentication. > > No, I was thinking about PDC. What I want is a way to be sure that > nobody else will "fake" any user on my network and possibly do bad > things - take their passwords, DoS or whatever else that is possible > when one has the admin access to the PDC. I want to make sure that the > machine I put in the PDC role is really the only machine that has this > role and that noone can replace it with another machine that can > become a PDC on my domain. What would happen if the power failure > occurs, all machines go down, power comes back and all machines, > together with the machine that tries to become the PDC, comes up > first. As far as I could read from the link you gave, the domain > master browser would be set to that "hacker" computer, because it will > be online the longest time. From the middle of the text behind the > link you gave: "Beyond that the election is based on the computer that > is running the longest, then alphabetic order by computer name.". Is > the same situation with PDC? How is PDC determined? If this is the > case, then any power or network failure is a potential security hole. > I am interested in security, not in being able to browse. I need a way > to disallow some users to do something, so if I cannot be sure that my > server is PDC, then this is not possible (or am I wrong about > that?)... > > > For more info about netbios browsing, browser wars, and prolly more > > than you want to know on the subject: > > >http://www.comptechdoc.org/os/window...snfinding.html > > I couldn't find anything here about PDCs, do you have any other link > that might answer the previous question? > > Thanks again! There can be only one PDC on a domain. The only way to make a machine a PDC, or BDC for that matter, is to utilize a method similiar to what Ray has described. Basically, you'd have to steal the logon information for an administrative account that has the permissions to join to the domain. Then the person would have to load windows on the machine while connected to the network, since the only time you can make a machine a bdc is during setup. The machine will have to be loaded as a bdc to the existing domain. After the machine is built and properly a member of the domain, it would then have to be promoted to PDC, which requires communication with the existing pdc. if the existing pdc is not available, like in your power outage scenario, the promotion will still take place. Conflicts will arise however when the original pdc comes back online. If you're worried about this, why not by a managed switch? Turn off the ports that are not in use, and enable port security on those that are. That way, if the switch detects an unknown MAC address, the port is turned off, and an alert will be sent to appropriate personnel. And yes, you should put the switch in a secure physical location.