I have a Server 2003 R2 domain with a bunch of workstations and some servers having the same local admin password.
I know it is not good practice, but that's an issue of it's own.
The issue is that when I log on as that local admin (WORKSTATION\Administrator) I can suddenly browse to ALL the hidden shares(c$, d$) of ALL the servers and workstations that have the same local admin password. If I change password or disable that account
the symptom goes away. I though if I do try accessing hidden shares it should still ask me for credentials, after all these are local credentials on DIFFERENT machines. I checked to make sure that the credentials are not cached and as far as I can tell
they are not. This really freaks me out.
This is kind of a big deal because even if I change local passwords on servers, I'm not sure we will be setting up different local Administrator password for each workstation.
My question is: Is this the a normal/documented Windows behavior? If not why is this happening? Can someone please explain how is this possible?
Yes, this is the default behavior for workgroup machines - this is so-called pass-through authentication of the NTLM protocol. You can lock down the usage of NTLM with policies.
I have accidentally just tested pass-through authentication as I am working on a solution that involves a bunch of servers that are not in a domain. Without this sort of authentication you could not do authentication easily against another machine in such
Admin power is limited though: Even if the user in question is admin on both machines and you try to remotely reset a password in an admin cmd session (e.g. using pspasswd) it will fail because of UAC per default - unless you tweaked UAC or related registry
I tried to find some official documentation: In
this book (hope it works - link to page via Google books) on Windows security pass-through is explicitly mentioned as the method used in a workgroup environment, this
MS support article explains NTLM passthrough authn in a domain environment.
I have seen some articles that say that NTLM is locked down per default on newer OS - but I can confirm if works if e.g. connecting from a W2K8 R2 server to a Windows 7 machine (both workgroup machines, no domain policies applied).
Microsoft is conducting an online survey to understand your opinion of the Technet Web site. If you choose to participate, the online survey will be presented to you when you leave the Technet Web site.