Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Active Directory password external use

from [Kurt Dillard] Network Security [Permanent Link]
Subject: RE: Active Directory password external use
Date: Wed, 31 Aug 2005 10:51:56 -0700 
Microsoft Identity Integration Server can do this, the challenge &
solutions are discussed in depth here: 

Microsoft Identity and Access Management Series:
http://go.microsoft.com/fwlink/?LinkId=14841  

-----Original Message-----
From: Doug Brower [mailto:dougb@cdh.com] 
Sent: Wednesday, August 31, 2005 7:15 AM
To: Rodrigo Blanco; focus-ms@securityfocus.com
Subject: RE: Active Directory password external use

Rodrigo:

This functionality is actually exposed by Microsoft.  I am not an expert
in the programming hooks - I know of it by exposure to Novell's Identity
Manager product.  That product has an agent that (logically) needs to be
installed on each DC.  The agents communicate with the main conduit of
password information via secure channel.

So...  There shouldn't be much cloak and dagger work to write an agent,
as the hooks are published.  I'll let others comment on the security
implications.

If you are a Microsoft shop, you might want to check out MIIS, which
offers a frame work for doing just what you propose.  Even after
purchasing the product, it might save you some time.



Sincerely,

........................................... 
Doug Brower
MCSD, MCNE, CLP, MCP
dougb@cdh.com 

p 616-776-1600 Grand Rapids
p 248-351-2669 Detroit
c 616-490-8270



Doug Brower
MCSD, MCNE, CLP, MCP
dougb@cdh.com

C/D/H
Technology Consultants
www.cdh.com


616-776-1600 Grand Rapids
248-351-2669 Detroit
616-490-8270 Mobile

-----Original Message-----

From: Rodrigo Blanco [mailto:rodrigo.blanco.r@gmail.com]
Sent: Wednesday, August 31, 2005 2:27 AM
To: focus-ms@securityfocus.com
Subject: Active Directory password external use

Hello list,

I am currently doing a project that requires using the Active Directory
users' password for other purposes other than just workstation logon or
share access.

What I would need to do is detect password change / reset events on the
domain, capture the new password and send it to another application.
This could be done with an agent or daemon running on the DC machine.

The question is, when a users' password is changed / resetted, is it
possible to externally capture this event and make use of the password
before it is stored in a non-reversible format inside the active dir.?

What security implications would this have, and what security measures
would you propose for such an agent?

Thanks in advance for your help and best regards, Rodrigo.

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
--------------------------------------------------------
New Consultant: C/D/H is proud to welcome Jason Cooper to our Southfield
office! 
He is a CNE, MCSE, CCNA, and CCEA certified consultant. He joins C/D/H
with over 10 years of experience.

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: Group Policy: multiple password policies in the same domain?, Laura A. Robinson
Next by Date:  RE: Group Policy: multiple password policies in the same domain?, Kurt Dillard
Previous by Thread:  Re: Active Directory password external use, Manuel Fernandes
Next by Thread:  Group Policy: multiple password policies in the same domain?, Derick Anderson
Indexes:  [Date] [Thread] [Top] [All Lists]