PHWinfo - Afficher un message

16/02/2007, 13h40

Thanks guys for your replies!

> Since you're on NT 4, you're wasting your time.

I am not on NT 4, I thought about being on Linux with Samba as the
PDC. Don't know if this makes any differences, though. As far as I
have seen from your replies, the problems is not in Windows version,
but in PDC/BDC replication occurring. Is this true? Windows 2000 is
not using PDC, but Active Directory, right?

OK, so can I conclude from what you said that inherently PDC/BDC
system is vulnerable to SAM stealing? Anyone that has a laptop which
can be plugged into the network like this can steal SAM? Can
replication to BDC be disabled?

I must also say that you haven't answered my question. You say:

> There can be only one PDC on a domain.

How can you disallow another computer to become a PDC? What makes one
computer a PDC? What makes other workstations think this is the
"right" PDC? I haven't seen anything on the workstations that
configures the PDC they should consult - this is done by broadcasts,
yes? No way you can stop another computer becoming the PDC in that
case.

Although, as you noted, you don't even need to become the PDC if you
can steal all the passwords...

The thing I am targeting is the following - if you can instruct the
workstations to access one PDC and the specific BDC(s) and instruct
the PDC not to replicate to anybody else except those BDCs, then we
don't need to care about this. Of course, different sorts of networks
sniffers exist, so this is still a security issue, but if we make only
one PDC, then I think there are no more holes in this solution. It
would be a centralized authentication, with one point of failure, but
also no point for hacker to access.

> If you're worried about this, why not by a managed switch? Turn off
> the ports that are not in use, and enable port security on those that
> are. That way, if the switch detects an unknown MAC address, the port
> is turned off, and an alert will be sent to appropriate personnel.
> And yes, you should put the switch in a secure physical location.

Already have this kind of network. I am afraid to try the solution
that you are proposing since it seems like a little administration
nightmare. The network that I have has ~100 computers. Nobody is
actively managing it (!!! - don't ask why... because I know it must be
- but it simply isn't), so this seems a little too much overhead for
this situation. I have been thinking about this and I will think again
- in fact, even the network that is not actively administered can be
made safer by doing this.

16/02/2007, 13h40	#7
dt Messages: n/a Hébergeur:	Re: PDC & hackers Thanks guys for your replies! > Since you're on NT 4, you're wasting your time. I am not on NT 4, I thought about being on Linux with Samba as the PDC. Don't know if this makes any differences, though. As far as I have seen from your replies, the problems is not in Windows version, but in PDC/BDC replication occurring. Is this true? Windows 2000 is not using PDC, but Active Directory, right? OK, so can I conclude from what you said that inherently PDC/BDC system is vulnerable to SAM stealing? Anyone that has a laptop which can be plugged into the network like this can steal SAM? Can replication to BDC be disabled? I must also say that you haven't answered my question. You say: > There can be only one PDC on a domain. How can you disallow another computer to become a PDC? What makes one computer a PDC? What makes other workstations think this is the "right" PDC? I haven't seen anything on the workstations that configures the PDC they should consult - this is done by broadcasts, yes? No way you can stop another computer becoming the PDC in that case. Although, as you noted, you don't even need to become the PDC if you can steal all the passwords... The thing I am targeting is the following - if you can instruct the workstations to access one PDC and the specific BDC(s) and instruct the PDC not to replicate to anybody else except those BDCs, then we don't need to care about this. Of course, different sorts of networks sniffers exist, so this is still a security issue, but if we make only one PDC, then I think there are no more holes in this solution. It would be a centralized authentication, with one point of failure, but also no point for hacker to access. > If you're worried about this, why not by a managed switch? Turn off > the ports that are not in use, and enable port security on those that > are. That way, if the switch detects an unknown MAC address, the port > is turned off, and an alert will be sent to appropriate personnel. > And yes, you should put the switch in a secure physical location. Already have this kind of network. I am afraid to try the solution that you are proposing since it seems like a little administration nightmare. The network that I have has ~100 computers. Nobody is actively managing it (!!! - don't ask why... because I know it must be - but it simply isn't), so this seems a little too much overhead for this situation. I have been thinking about this and I will think again - in fact, even the network that is not actively administered can be made safer by doing this.