local account admin has access to other PC's if admin password is

[Guest]

I have observed the following behaviour - when I logon as the LOCAL
administrator to a windows 2000 or XP pro PC that is a member of my domain,
and the local administrator password is the same as the LOCAL administrator
password on a server in my domain, the local administrator account from the
workstation then has administrator access to the servers with the same LOCAL
administrator password. Is this normal and is there a way to prevent this ?

thanks

 

[Steven L Umbach]

That is normal and how workgroups are often set up with user accounts that
have the same credentials on all computers in the workgroup so that network
users can access other computers in the workgroup or any computer that has
the same user account/password in the local users. If you want to prevent it
do not use the same account name/password on more than one computer. ---
Steve

 

[Guest]

I can maybe understand this maybe in a workgroup (even then it's a stretch),
but in a domain it seems unacceptable . I just tested this with a PC that is
not even a member of the domain and the result is the same. This implies
that if a guest comes to my office with his laptop, and I allow him to plug
in to my network, if he logs in to his laptop as administrator, and by pure
luck his password is the same as the local administrator account on any
resource in my network, he will have admin level access to those resources.
This doesn't seem like "trustworthy computing" to me ??? Am I missing
something here ?

 

[Steven L Umbach]

That is the way it works if there is a common authentication protocol
available. If you use and enforce complex passwords of at least seven
characters long in the domain there would be around a one in 7 to the 96th
power possibility that the another user would have the same password. If you
do not want non domain computers to even have that chance then you can do
what Microsoft does which is use ipsec to protect domain resources. If a
domain computer has an ipsec require policy enabled on it then a non domain
computer will not be able to access it because computer authentication will
fail when the security association is attempted by kerberos. Ipsec is a
somewhat complex topic that requires planning and testing but explained well
in the ipsec domain isolation guide even if you read just the appendixes.
One caveat is that domain controllers must be exempt from ipsec policies
that use ipsec traffic between domain computers and domain controllers for
the ports/protocols used in the authentication process by the domain
controllers. See the link below if interested in using ipsec. --- Steve

http://www.microsoft.com/technet/security/topics/architectureanddesign/ipsec/default.mspx

 

[Guest]

thanks very much for the clarification - I will research the IPsec scenario