Re: How to add an extra password field to an AD?

Herb Martin wrote:
"Marc Haber" <mh+usenetspam200516@xxxxxxxxxxxx> wrote in message news:elk4vwzsHHA.1776@xxxxxxxxxxxxxxxxxxxxxxx
Hi,

given a rather simple AD setup (one domain, no interrelationship), a service
run by an external service provider with next to no AD knowledge (that's
me), and the wish of the customer of having the service authenticate its
users against the AD to allow user management to happen using AD tools.

The service should (and can) be written to do this by just checking the
users SID against service permissions or secured "objects" created or
used by the service.

The service is not windows related at all, therefore it is not desired to integrate with Windows more than absolutely necessary. The service does not even run on a Windows box.

For a variety of reasons, it is not desireable to have the service see the
credentials that the users use to authenticate for other AD services.

That makes little sense, such credentials are not needed by the service IF
the service uses a system object with security on that object -- the security
subsystem will check credential against the needed ACLs on the object.

But the service is going to see the user's AD password, and the user is likely to store the password used with the service on her client system, which is likely to compromise AD security.

Additionally, the service transmits passwords in the clear.

Then it is badly designed and poorly integrated with Windows.

It is not integrated with Windows at all. That's a feature.

The service
does have an LDAP interface and can authenticate against an LDAP server.

To me, a possibile solution would be to have a dedicated password field in
the AD for a dedicated password that is only used for the service in
question,

A poor design that doesn't integrate well with Windows security,

Not integrating with Windows security is a feature here.

complicates the life of the users,

Yes, all security complicates life.

> adds to the security risk (since most users will try
to use the SAME password or something similar),

This is better than _FORCING_ them to use the identical password that gives access to all AD resources.

Greetings
Marc
.

Relevant Pages

  • Re: [ok] [Full-Disclosure] RE: [Full-Disclosure]MS should re-write code with security in mind
    ... almost all Windows users demand backward compatibility. ... > security upgrades available on MS's site. ... > and authenticate all mail transfer. ...
    (Full-Disclosure)
  • Re: [ok] [Full-Disclosure] RE: [Full-Disclosure]MS should re-write code with security in mind
    ... almost all Windows users demand backward compatibility. ... security upgrades available on MS's site. ... and authenticate all mail transfer. ...
    (Full-Disclosure)
  • Re: Interactive Service Related to Logon
    ... > I am writing a Service that will authenticate the users during the ... > The way I implement this scheme is that I start separate thread that ... It will be probably disabled in the future to avoid opening a security hole. ... Maxim Shatskih, Windows DDK MVP ...
    (microsoft.public.win32.programmer.kernel)
  • Re: Interactive Service Related to Logon
    ... I think you are correct about future versions of Windows not allowing this. ... I have a service that uses this technique so the process can display its ... >> I am writing a Service that will authenticate the users during the ... > Showing any UI from the service is a security issue (due to window manager ...
    (microsoft.public.win32.programmer.kernel)
  • Re: kerberos!
    ... If Windows presented the "connect as" dialog when falling back to NTLM, you would at least know that it was happening without having to understand the contents of this thread. ... >requires NTLMv2 to authenticate when opening a cif share via ip address. ... >security (causing many of Microsoft's security issues. ...
    (NT-Bugtraq)