none
Can access domain network resources while logged on as a local administrator on a workstation.

    Question

  • Please help me in figuring this one out.

    I have a Server 2003 R2 domain with a bunch of workstations and some servers having the same local admin password.

    I know it is not good practice, but that's an issue of it's own.

    The issue is that when I log on as that local admin (WORKSTATION\Administrator) I can suddenly browse to ALL the hidden shares(c$, d$) of ALL the servers and workstations that have the same local admin password. If I change password or disable that account the symptom goes away.  I though if I do try accessing hidden shares it should still ask me for credentials, after all these are local credentials on DIFFERENT machines. I checked to make sure that the credentials are not cached and as far as I can tell they are not. This really freaks me out.

    This is kind of a big deal because even if I change local passwords on servers, I'm not sure we will be setting up different local Administrator password for each workstation.

    My question is: Is this the a normal/documented Windows behavior? If not why is this happening? Can someone please explain how is this possible?




    • Edited by BSolver Friday, June 13, 2014 7:46 PM
    Friday, June 13, 2014 7:43 PM

Answers

  • Yes, this is the default behavior for workgroup machines - this is so-called pass-through authentication of the NTLM protocol. You can lock down the usage of NTLM with policies.

    I have accidentally just tested pass-through authentication as I am working on a solution that involves a bunch of servers that are not in a domain. Without this sort of authentication you could not do authentication easily against another machine in such an environment.

    Admin power is limited though: Even if the user in question is admin on both machines and you try to remotely reset a password in an admin cmd session (e.g. using pspasswd) it will fail because of UAC per default - unless you tweaked UAC or related registry keys.

    I tried to find some official documentation: In this book (hope it works - link to page via Google books) on Windows security pass-through is explicitly mentioned as the method used in a workgroup environment, this MS support article explains NTLM passthrough authn in a domain environment.

    I have seen some articles that say that NTLM is locked down per default on newer OS - but I can confirm if works if e.g. connecting from a W2K8 R2 server to a Windows 7 machine (both workgroup machines, no domain policies applied).

    Elke

    Friday, June 13, 2014 8:27 PM