Sequrity issue: Domain accessible from workgroup-W2Kserver?? 1

[leploep]

Excuse me for this probably newbie question, but i have no clue how to search for this problem.

I've just installed a fresh W2K-advanced-server and did not move it into AD yet, so it's still in "workgroup" and clearly not logged in the domain.

To my utter surprise and horror i was able to navigate and open files on some machines in the AD using the local administrator account.
Even our Domain controller(W2K3) is among the accesible machines (including the home folders, normally only accesible by the user her/himself when logged in the domain)

Can someone put me in a direction how to close this GAPING security hole?

Thanks in advance for your wisdom

 

[pgaliardo]

Two things come to mind:
1) Did you add the local admin account of this new server to the domain admins group?
2)Is the local administrator name and password of the new server the same as the local admin name and password on the other servers -or is it the same name and password as the domain admin in you AD? If it is,it will be able to access resources on the rmeote servers without prompting for a password.

 

[leploep]

It looks like your second "thing" is dead on

The local admin account on the workgroup-machine uses the same login/pw as the local admin account on the accesible servers. I've just tried it with a different account and it has no access. Thanks a lot for easing my mind

 

[leploep]

And a little addition:

This is also a nice way to find out if you have local administrator accounts with a null password in your network

 

[ncotton]

Leploep, for this to happen, in regard to your checking local admin accounts, you have to have the correlated relation of users and passwords, so would have to test with all users.

Hope this Helps.

Neil J Cotton
njc Information Systems
Systems Consultant

 

[leploep]

Yes indeed, luckily i don't have that many servers.