Security Hole in VPN 3.0x Client under W2K?

murriware · ‎11-20-2001

I found the following with W2K and VPN client 3.01.

1) I get on internet through my ISP.

2) I connect to my internal network through PIX and/or VPN 3005 concentrator with VPN dialer.

3) I logon as (on Windows logon or after) an administrator and I get the appropriate rights.

4) I disconnect the VPN dialer.

5) I logon, through VPN dialer, as an user and I maintain the previous administrator rights!!

6) Only if I reach the LSA logon mask I reconnect correctly to the domain.

Now, IMHO, the point 5 is a possible sec hole because it lets me a discretionary access control on my domain logon and not a mandatory access control.

Furthermore, the Win9x client correctly presents me the domain logon everytime I use the VPN dialer logon and why not the W2K client?

Am I correct?

Suggestions?

Bye

Maurizio

jason.jenkins · ‎11-20-2001

I beleive what you are seeing is a Microsoft feature with the way the SAM is created when you logon. Basically Windows 2000 will remember who you are until you logout of Windows, no matter how many times or how long you are disconnected from the network.

To fix what you are seeing, you wold also have to go to the Start menu and logout there.

murriware · ‎11-21-2001

It's not a MS feature because if I want to re-logon to the domain with W2K I normally need to go to LSA key combination (Ctrl-Alt-Del).

That's not the case with VPN client.

jasmith · ‎11-21-2001

We need more information.

1) what is the keep alive settings for a session on the concentrator.

2) is win2k installed with the default logon settings.

3) do you have a GPO for Account Logon ineffect.