Everhart,Glenn From: Paul Leach [paulle@microsoft.com] Sent: Monday, April 20, 1998 9:17 PM To: ntsecurity@iss.net; LISTS@aik.tec.sc.us Subject: Re: (Fwd) RE: [NTSEC] Anonymous logins TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net Contact ntsecurity-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- >> ----- Original Message ----- >> From: LISTS@aik.tec.sc.us [SMTP:LISTS@aik.tec.sc.us] > >> Same thing happened with me! I brought the Samba up and down several >> times to verify. I posted a question to the VMS-Samba list about >> how to stop this was was told that it can't happen. Posts here say >> it can't happen. BUT IT DOES!!! I think you may be confusing some of the different roles the PDC usually plays. If you bring up an NT PDC when there is another machine that has registered as a PDC (using the domain name with a 16th character of hex "1b") then it will not attempt to be the PDC. At this point, there is no legit PDC, and this constitutes a DOS attack. I already said this, at the end of my "academic" discussion of secure channels with Russ. If the rogue PDC starts second, and refuses to shut down when it sees an existing PDC, then it may be able (by actively foiling WINS's attempt to see if the name is still owned by a running machine) register as the real PDC anyway. Again, a DOS attack. However, this PDC will not be able to convince any other NT system to set up a secure channel with it, which is necessary for any security related PDC function. As has already been outlined. It will be able to convince other computers that it is the Domain Master Browser, and provide bogus lists of server names. The browsing protocol (what fills the "Network Neighborhood" list) is not authenticated. - --------------------- Paul J. Leach paulle@microsoft.com Key ID: 0x978829DD Fingerprint: 9EFA A405 39B4 F91F DE6F 8939 6FE9 F5D8 -----BEGIN PGP SIGNATURE----- Version: PGP 5.5.5 iQCVAwUBNTvzo8qlCdSXiCndAQF0qAP/XyuxvMbtaxNesZUW+QfIs1H9mz51IQ7P xhJJeYUjL/yrdW7jAfVoJ3DXKJZ+bclbwQnrWgzxAG+pxoEwdCb6enWb1yarfti7 0ci7TE6gp+tifqJ727DuvvIDpUvMrzyKIE4RkAuJN0y+hnmqj/JS3c0Bhf1/3k9q O/rO/zfGPxE= =hgYJ -----END PGP SIGNATURE-----