Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Security Hole in VPN 3.0x Client under W2K?

I found the following with W2K and VPN client 3.01.

1) I get on internet through my ISP.

2) I connect to my internal network through PIX and/or VPN 3005 concentrator with VPN dialer.

3) I logon as (on Windows logon or after) an administrator and I get the appropriate rights.

4) I disconnect the VPN dialer.

5) I logon, through VPN dialer, as an user and I maintain the previous administrator rights!!

6) Only if I reach the LSA logon mask I reconnect correctly to the domain.

Now, IMHO, the point 5 is a possible sec hole because it lets me a discretionary access control on my domain logon and not a mandatory access control.

Furthermore, the Win9x client correctly presents me the domain logon everytime I use the VPN dialer logon and why not the W2K client?

Am I correct?

Suggestions?

Bye

Maurizio

3 REPLIES
New Member

Re: Security Hole in VPN 3.0x Client under W2K?

I beleive what you are seeing is a Microsoft feature with the way the SAM is created when you logon. Basically Windows 2000 will remember who you are until you logout of Windows, no matter how many times or how long you are disconnected from the network.

To fix what you are seeing, you wold also have to go to the Start menu and logout there.

New Member

Re: Security Hole in VPN 3.0x Client under W2K?

It's not a MS feature because if I want to re-logon to the domain with W2K I normally need to go to LSA key combination (Ctrl-Alt-Del).

That's not the case with VPN client.

New Member

Re: Security Hole in VPN 3.0x Client under W2K?

We need more information.

1) what is the keep alive settings for a session on the concentrator.

2) is win2k installed with the default logon settings.

3) do you have a GPO for Account Logon ineffect.

97
Views
0
Helpful
3
Replies