Just to clarify - My main point was to answer the question and give the
information that this DLL is purposely exposed and published to allow
for plain text password capture at a programming level. My
understanding is the password comes in encrypted and can be decrypted by
this method before being hashed. I only halfway hinted that MIIS or
another approach might be used.
I really appreciate the people who answered more fully that the
architecture should be looked into. I would also normally recommend AD
integration or RADIUS be used in place of writing your own
authentication protocol.
At the risk of entering a security debate, where and how securely you
store these replicated credentials is an issue. The bad guys always go
for the weakest link. Also at issue is that password synch is not
always 100% in replicated systems.
AD, RADIUS, screen scrape technologies, etc - there are probably better
ways to architect the solution. Maybe not, depending on the specifics,
but you should probably take a closer look at these (cheaper, simpler,
more secure) alternatives first...
Doug
Doug Brower
MCSD, MCNE, CLP, MCP
dougb@cdh.com
C/D/H
Technology Consultants
www.cdh.com
616-776-1600 Grand Rapids
248-351-2669 Detroit
616-490-8270 Mobile
-----Original Message-----
From: Manuel Fernandes [mailto:manuelf@mailblocks.com]
Sent: Wednesday, August 31, 2005 2:38 PM
To: farrenkm@ohsu.edu; focus-ms@securityfocus.com
Subject: Re: Active Directory password external use
What agent or daemon will capture this - is it part of an identity
management (IdM) system?
Yes, some IdM agents can capture the password in clearat the DC and
distribute it before it is encrypted.
Without getting specific to a product or technology, most mature
systems have provisions to interact with msgina.dll
-----Original Message-----
From: Matthew Farrenkopf <farrenkm@ohsu.edu>
To: focus-ms@securityfocus.com
Sent: Wed, 31 Aug 2005 08:21:47 -0700
Subject: Re: Active Directory password external use
"Rodrigo Blanco" <rodrigo.blanco.r@gmail.com>:
I am currently doing a project that requires using the Active
Directory users' password for other purposes other than just
workstation logon or share access.
What I would need to do is detect password change / reset events on
the domain, capture the new password and send it to another
application. This could be done with an agent or daemon running on the
DC machine.
The question is, when a users' password is changed / resetted, is it
possible to externally capture this event and make use of the password
before it is stored in a non-reversible format inside the active dir.?
What security implications would this have, and what security measures
would you propose for such an agent?
Seems like a lot of work for a small reward. We have several Web
applications
that authenticate directly against the domain controller. I've never
done it
before, but there's probably someone that has (and I am actively trying
to learn
how to do it).
Why not do that?
Matt
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
--------------------------------------------------------
New Consultant: C/D/H is proud to welcome Jason Cooper to our Southfield
office!
He is a CNE, MCSE, CCNA, and CCEA certified consultant. He joins C/D/H with
over 10 years of experience.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
