BugTraq
Back to list
|
Post reply
Microsoft IIS Integrated Authentication
Apr 25 2003 08:10PM
skybristol hotmail com
Microsoft's IIS server allows for an integrated authentication method
which allows users within an intranet environment to sign-on
automatically with "pass-through authentication" to servers set for
Integrated Windows Authentication. This works if users are logged into a
workstation in the same domain with the intranet server they are
accessing. In this system, the user's current logon credentials on their
workstation are compared to the server-retrieved credentials for the
user. If the hashes match and the user has rights to the directory, they
are in without a password prompt. The following article provides
additional details:
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/comsrv2k/htm/cs_gs_security_xmky.asp
According to the Microsoft documentation, the only way for a user from
another domain to be able to use this method is for the two domains to be
trusted in some way. I happen to have a multiple Windows 2000 Active
Directory forest situation, and I found a way to get user credentials
from a completely untrusted domain into a site protected by this system.
I have two separate Active Directory forests; one in an external network
and one in an internal RFC1918 network. There are two different DNS
domains (matching the AD domain names) for these networks, one public and
one internal. Both forests have the same NetBIOS name. The NetBIOS domain
name is used in the Integrated Windows Authentication method as the user
ID prefix - <domain>\<user ID>. I placed a set of user credentials in
both domains with matching ID (sAMAccountName) and password. I placed a
test IIS Web server protected with Integrated Windows Authentication in
the internal network domain. I configured an IE Web browser on a client
in the external domain with the internal site as a trusted site. I was
then able to access the entire internal site from the external, non-
trusted workstation without a password prompt.
Now, the chances of a real-world exploit coming from this are slim. I
would still have to fully compromise a user and password and gain network
access to the protected resource. However, once these were accomplished,
I could spoof a given user very easily and make it look like I was from a
trusted domain.
[ reply ]
Privacy Statement
Copyright 2010, SecurityFocus
Microsoft's IIS server allows for an integrated authentication method
which allows users within an intranet environment to sign-on
automatically with "pass-through authentication" to servers set for
Integrated Windows Authentication. This works if users are logged into a
workstation in the same domain with the intranet server they are
accessing. In this system, the user's current logon credentials on their
workstation are compared to the server-retrieved credentials for the
user. If the hashes match and the user has rights to the directory, they
are in without a password prompt. The following article provides
additional details:
http://msdn.microsoft.com/library/default.asp?url=/library/en-
us/comsrv2k/htm/cs_gs_security_xmky.asp
According to the Microsoft documentation, the only way for a user from
another domain to be able to use this method is for the two domains to be
trusted in some way. I happen to have a multiple Windows 2000 Active
Directory forest situation, and I found a way to get user credentials
from a completely untrusted domain into a site protected by this system.
I have two separate Active Directory forests; one in an external network
and one in an internal RFC1918 network. There are two different DNS
domains (matching the AD domain names) for these networks, one public and
one internal. Both forests have the same NetBIOS name. The NetBIOS domain
name is used in the Integrated Windows Authentication method as the user
ID prefix - <domain>\<user ID>. I placed a set of user credentials in
both domains with matching ID (sAMAccountName) and password. I placed a
test IIS Web server protected with Integrated Windows Authentication in
the internal network domain. I configured an IE Web browser on a client
in the external domain with the internal site as a trusted site. I was
then able to access the entire internal site from the external, non-
trusted workstation without a password prompt.
Now, the chances of a real-world exploit coming from this are slim. I
would still have to fully compromise a user and password and gain network
access to the protected resource. However, once these were accomplished,
I could spoof a given user very easily and make it look like I was from a
trusted domain.
[ reply ]