Path: news.mitre.org!blanket.mitre.org!agate!awabi.library.ucla.edu!207.97.14.174!europa.clark.net!128.230.129.106!news.maxwell.syr.edu!ix.netcom.com!alan From: george@my.home (George Lombardi) Newsgroups: comp.security.misc Subject: Re: pptp passes domain/userid in clear text? Date: Sat, 01 Nov 1997 06:18:20 GMT Organization: Netcom Lines: 57 Message-ID: <63ehn4$elg@dfw-ixnews11.ix.netcom.com> References: <01bce650$a029d700$74b281d0@mickey> NNTP-Posting-Host: stp-fl4-01.ix.netcom.com X-NETCOM-Date: Sat Nov 01 12:20:20 AM CST 1997 X-Newsreader: News Xpress 2.01 In article <01bce650$a029d700$74b281d0@mickey>, "Pam Helms" wrote: >We have a pptp server installed on NT 4.0 and pptp clients are Win95 with >dun1.2 and connection manager. We have server set up to require encrypted >password. We set up a network sniffer on the public side and noticed the >NT >domain and userid passed in clear text. That's not good. Is the password encrypted? If so, can you tell by examining the packets which one contains the password? If yes, an experienced person can use the encrypted password to "replay" the login and gain access. > >Do other corporations see this as a concern? I sure hope so. Please keep in mind that security is usually an afterthought and not very well understood by most. If you don't have experience with security don't assume it's setup properly. Just because you don't know how to compromise your network security doesn't mean that it can't be compromised. > >Does anyone know of a way to prevent this - do we just have something >configured wrong? I was somewhat surprised to see this as I thought the >whole session would be encrypted in a tunnel, but then wondered about how >the session would be established if this were the case. There are ways of preventing this. Encryption, Authentication & Data Integrity at the Network layer of the OSI model. I'm not trying to sell it, but take a look at Fortress Technologies http://www.fortresstech.com They have some interesting technologies at work. > >Any suggestions or comments/concerns would be appreciated. I have posted >this to this group mainly to get an opinion on the group's feelings about >the risks of having the NT domain and userid in plain text on the Internet. Nothing should be in plaintext. All that is needed by a router is the source and destination IP. This is the only "true" information that needs to be unmolested in a packet's header. > >Thanks, > >Pam Helms >Dow Chemical U.S.A. >pshelms@dow.com My two cents: An unfriendly or "untrusted" thrid party armed with the NT domain, userid & password has essentially all the information needed to gain the same access as a friendly or "trusted" user. Just my opinion. George