The strange case of Windows 'default credentials'
Windows has some odd quirks that have been around probably since the dawn of Windows 3.11, and which still exist (at least in part) today for backwards compatibility.
One of these has to do with connecting to remote file shares over SMB (CIFS).
When you try to connect to a share - \\mycomputer\myshare. By default windows will attempt to login to that share using the same username/password combination that you are currently logged in with.
This is rather convenient, because otherwise every time you connect you get prompted, again & again & again for your username and password.
But..it's also a bit of a security problem, if I setup my own share on my own computer, and send links to others, and those others click on those links, windows will send my computer your username and password (though technically it sends me a secret code that is derived from your password, not your password itself). I can then use this information to calculate what your password could be, using something like a rainbow hash and if your password is particularly weak, I can get your credentials quite fast.
Windows has attempted, in part to fix this hole. In modern OS windows will at least check to make sure your machine is on the same network as the target machine before sending the automatic credentials (in the old days it did not do this)
This 'hole', also leads to some interesting situations, often used by sysadmins/programmer to access to machines not in their own domain without having to type a password.
For example, suppose I have an account on the domain 'Contoso' called 'BRADDE' and the password 'PASSWORD', and I have a second local account on a machine on that network say called 'Northwind', and suppose further that the machine on 'Northwind' while on the same network, is not actually connected to the domain 'Contoso'. That local account machine also has local account called 'BRADDE' and also the password 'PASSWORD'. Following me so far? - if so then you know it is a really bad idea to re-use passwords on different machines never mind the fact that 'PASSWORD' is a horrible password to use.
My point is, when I am logged into any machine on the domain 'Contoso' with my 'BRADDE' account, it can automatically access ANY shares on the machine 'Northwind' to which my local 'BRADDE' account has access.
Again we see that this is a convivence, but at the expense of security, because the machine 'Northwind' is not a member of the domain, and really should not be in a position to authorize my Contoso domain password to allow access. For that matter it could be a complete coincidence that the user 'BRADDE' is even the same person, they just happened to have the same user id and - pick the same (really poor) password.
What allows this to happen is when you login you do not type your credentials in the format CONTOSO\BRADDE, you just type 'BRADDE'. If you do remember to put the domain name in front or as BRADDE@CONTOSO you will be appropriately denied access but if you do not and both machines have the same password, it will let you in automatically and without re-prompting for your password.
Something to keep in mind the next time you connect to a CIFS network share!
Comments
Post a Comment