Login info over unsecure connection

  • Thread starter Thread starter Moshe Rosenberg
  • Start date Start date
M

Moshe Rosenberg

If I access a share from another domain and I put in my windows user name
and password, is that infomation encryped over an otherwise unsecure
internet connection?

There is no vpn, ipsec etc. Just default config on client and server.

Thanks!
 
If you are talking about another Windows 2000 domain via a lan, your passwords are
never sent over the wire per se and a challenge/response is used to authenticate. The
data however may not be encrypted unless something like ipsec is used. If you mean an
internet website, then your password may not be encrypted if it is not a ssl
connection as evidenced by https in the address bar or the little padlock in the
lower right hand corner. Never use the same logon/password as you use to logon to
your computer or secure sites such as places where you bank or use a charge card if
in doubt. Ftp sites are particularly bad place to use a logon/password, as it may
very well be a clear text connection. -- Steve

http://www.microsoft.com/security/protect/
 
Does this still apply if I access the share via UNC path?

Moshe

Steven L Umbach said:
If you are talking about another Windows 2000 domain via a lan, your passwords are
never sent over the wire per se and a challenge/response is used to authenticate. The
data however may not be encrypted unless something like ipsec is used. If you mean an
internet website, then your password may not be encrypted if it is not a ssl
connection as evidenced by https in the address bar or the little padlock in the
lower right hand corner. Never use the same logon/password as you use to logon to
your computer or secure sites such as places where you bank or use a charge card if
in doubt. Ftp sites are particularly bad place to use a logon/password, as it may
very well be a clear text connection. -- Steve

http://www.microsoft.com/security/protect/
Click to expand...
 
If you are trying to use unc to access a network share, the Windows
challenge/response password challenge is still used for authentication and data is
NOT encrypted. If you are using unc to access a share over the internet, that is very
risky business unless you do not care that your data is seen in clear text and that
the server end would have file and print sharing open to the world unless a firewall
restricted traffic as to come only from a particular ip address. If the computer
offering the share is a W9X computer, then lm authentication is most likely being
used which is very weak and easy to crack by sniffing the password hash. It is
possible for client computers such as W2K to establish pptp vpn sessions with another
W2K/XP Pro computer [one connection limit] or possibly even an ipsec tunnel [not
transport]. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;257333 --- similar for XP.
http://support.microsoft.com/default.aspx?scid=kb;en-us;252735

Moshe Rosenberg said:
Does this still apply if I access the share via UNC path?

Moshe
Click to expand...
 
Steve, I'm transferring very confidantial information from one server to another via Internet and FTP. How can I secure that information that people on different end of my communication can read it and anybody else cannot?
 
I am not an expert on FTP/IIS - maybe someone else will post or you can try the
IIS security newsgroup for more specifics. What I do know is that you want to
transfer via secure connection, FTP as it is not secure to move files and
passwords are transmitted in clear text if anonymous is not used. You will want
to use vpn/ipsec tunnel, ssl, or such to transfer the files between your
servers. You will also have to configure your server to offer secure connection
to users via ssl website or some secure ftp method. Then you will need to
authenticate users. You of course will not want to use anonymous access and will
most likely want to use integrated Windows authentication or possibly client
certificates. In addition, you will want to use a firewall and harden your
server making sure that something like Microsoft Baseline Security Analyzer and
IIS lockdown tool is run on your web/ftp server, that it is fully patched, and
complex administrator passwords are used otherwise it will be much easier for a
hacker to compromise your server. Depending on the base of users that need to
access this information, something like a l2tp vpn connection may be a
possibility that would require the client computers to have machine certificates
as another security measure. The following link to Karl's FAQ will also be
helpful. --- Steve

http://securityadmin.info/faq.asp#iis --- FAQ
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/prodtech/iis/DEFAULT.asp
--- from TechNet

Bob said:
Steve, I'm transferring very confidantial information from one server to
Click to expand...
another via Internet and FTP. How can I secure that information that people on
different end of my communication can read it and anybody else cannot?
 
You must log in or register to reply here.

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

VPN Error 734 not able to select solution 'Allow unsecured passwor 1
unsecure. 3
2242 error (password expired) for unsecured share 1
Certain routers and switches are not accessible through VPN. 0
HELP: Final Question About Hackers Stealing Files Via Wireless Net 2
IpSEC in Windows an Unix system 2
Account Lockout 1
how to rescan for domain controller ? 1

Back
Top