Enquiry on a special scenario.

[Guest]

Dear Sir/Madam,

I got an enquiry from my customer regarding security
setup. I am developing a system which accept single sign-
on. It means if the user can logon to the network and
have security level to touch different server. He/She can
use different systems, e.g. CRM, MIS .

The customer claims that there is a way to bypass the user
ID and password in the network in order to use all the
resource and systems in the network.

Someone can disconnect a PC physically from the network.
He/She created a domain and user ID in the PC, which same
as the domain and user ID in the network. Then, he/she
logon the domain and user ID in the PC. He/she can
connect the PC to the network again. Finally, he/she can
access all the resources in the network.

Best Regards,

Martin.

 

[Steven L Umbach]

A user can access resources on a domain network if they have a local user
account on a non domain computer that has the same logon/password as a
domain account, and of course connectivity to the network. However if ipsec
policies have been defined that "require" ipsec negotiation to a domain
resource, then their access will fail due to their computer not being able
to authenticate via kerberos. --- Steve

 

[Guest]

Dear Steven,

If the password in local domain is different from the domain one, can people be granted the access to the network resources ?

Best Regards,

Martin.

 

[Steven Umbach]

If the password is different and they do not know the password of the domain
account they will be denied access. --- Steve

Dear Steven,

If the password in local domain is different from the domain one, can people

be granted the access to the network resources ?