Store password using reversable encryption

S

skip

I have to have this checked on all user accounts, because
our firewall is a Wathcgurad Firebox, and it cant
authenticate users accounts on the domain. Because of this
i have had to setup radius, in IAS and configured all
accounts for reversable encyption. My first question is
this less secure? and when i look at the security logs on
in event viewer on the DC, I get

Successful Network Logon:
User Name: BBBACKUP$
Domain: BBDOMAIN
Logon ID: (0x0,0x2AEEA)
Logon Type: 3
Logon Process: Kerberos
Authentication Package: Kerberos
Workstation Name:

What is this telling me?

Thanks
Skip
 
H

Herb Martin

skip said:
I have to have this checked on all user accounts, because
our firewall is a Wathcgurad Firebox, and it cant
authenticate users accounts on the domain. Because of this
i have had to setup radius, in IAS and configured all
accounts for reversable encyption. My first question is
this less secure?
Click to expand...

Yes.

Something seems wrong. Presumably you are using CHAP or
even a weaker security method at the Firebox -- if the Firebox is
a PROPER RADIUS client then it should NOT CARE what
authentication protocol you use but should be able to pass this
through to the RADIUS Server (IAS) which should work out the
authentication DETAILS with the DCs.

A decent RADIUS client should support EAP or some standards based
authentication -- perhaps a firmware or software upgrade? Or use a
Win2000+ VPN server instead.
and when i look at the security logs on
in event viewer on the DC, I get ....
What is this telling me?
Click to expand...

I believe you are looking at a machine named BBBackup
(the $ is the 'account' version of the computer name) logging
on successfully as does every machine that is a member of the
domain.

It's a "success" (good), it ends in a $ which makes it PROBABLY
a machine account, the base name is "BBBackup" which is consistent
with a Machine account OR a service account for some backup process.

The latter possibility might make more sense (service account) if you have
such a backup process running somewhere.

Oh, and it is likely coming from a Win2000, WinXP, or Win2003 machine
since it uses Kerberos (and not NTLM.)
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

DC Security Logs - Who logged into what 1
Unexplained 540 Events in Security log on W2K workstation in a dom 0
Users in Win98 workstations having account locked in Active Direct 5
[FATAL] Kerberos does not have a ticket for <any of my servers> 5
Using kerberos w/o binding to active directory 1
Kerberos Errors on Domain Controllers 2
Store password using reversable encryption 1
All accounts get locked out 1

Top