Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Active Directory password external use

from [Doug Brower] Network Security [Permanent Link]
Subject: RE: Active Directory password external use
Date: Wed, 31 Aug 2005 10:14:55 -0400 
Rodrigo:

This functionality is actually exposed by Microsoft.  I am not an expert
in the programming hooks - I know of it by exposure to Novell's Identity
Manager product.  That product has an agent that (logically) needs to be
installed on each DC.  The agents communicate with the main conduit of
password information via secure channel.

So...  There shouldn't be much cloak and dagger work to write an agent,
as the hooks are published.  I'll let others comment on the security
implications.

If you are a Microsoft shop, you might want to check out MIIS, which
offers a frame work for doing just what you propose.  Even after
purchasing the product, it might save you some time.



Sincerely,

........................................... 
Doug Brower 
MCSD, MCNE, CLP, MCP 
dougb@cdh.com 

p 616-776-1600 Grand Rapids
p 248-351-2669 Detroit
c 616-490-8270



Doug Brower
MCSD, MCNE, CLP, MCP
dougb@cdh.com

C/D/H
Technology Consultants
www.cdh.com


616-776-1600 Grand Rapids
248-351-2669 Detroit
616-490-8270 Mobile

-----Original Message-----

From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com] 
Sent: Wednesday, August 31, 2005 2:27 AM
To: focus-ms@securityfocus.com
Subject: Active Directory password external use

Hello list,

I am currently doing a project that requires using the Active
Directory users' password for other purposes other than just
workstation logon or share access.

What I would need to do is detect password change / reset events on
the domain, capture the new password and send it to another
application. This could be done with an agent or daemon running on the
DC machine.

The question is, when a users' password is changed / resetted, is it
possible to externally capture this event and make use of the password
before it is stored in a non-reversible format inside the active dir.?

What security implications would this have, and what security measures
would you propose for such an agent?

Thanks in advance for your help and best regards,
Rodrigo.

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
--------------------------------------------------------
New Consultant: C/D/H is proud to welcome Jason Cooper to our Southfield 
office! 
He is a CNE, MCSE, CCNA, and CCEA certified consultant. He joins C/D/H with 
over 10 years of experience.

---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: RE: IEEE 802.1x & dynamic vlan assignment, Nikolai Belstein
Next by Date:  RE: Group Policy: multiple password policies in the same domain?, Depp, Dennis M.
Previous by Thread:  Active Directory password external use, Rodrigo Blanco
Next by Thread:  RE: Active Directory password external use, Fredericks, Michael
Indexes:  [Date] [Thread] [Top] [All Lists]