2

In an LDAP environment that has no Radius or SSO policy whatsoever I have been told from the corporate sysadmin that:

Machines that are not included into the domain could access resources (SAMBA) at the domain just creating local users matching the LDAP info (username/password).

It looks to my like LDAP bypassing and I wonder if that is true and, in case it were true, isn't it a security risk?

Anders
  • 64,406
  • 24
  • 178
  • 215
bradbury9
  • 350
  • 1
  • 10
  • I'm not an sysadmin and have not that much knowledge of netwokring but that sounds like a badly configured infrastructure to me. I can't access anything hidden to AD users when I use my exact same credentials but defining a different domain. The local user should normally send his pc-name as domain and that should be forbidden then. Also why would I create a local user with matching credentials when I could just use the AD user? I already know them so why not use that account, otherwise I would need to retrieve that information first somehow. – Nico Apr 05 '18 at 11:48
  • @Nico Cannot use the real account, the machine is on a DMZ and policy says no machine in the DMZ is allowed to enter into the domain. What they are trying to do defeats their own security policy imho. – bradbury9 Apr 05 '18 at 11:52
  • Well that's sure. DMZ is a risk zone and shouldn't have access to the domain, so far so good. And there still is a need for it to access domain resources? Sounds interesting and scary in terms of security... However I would not see that to be possible in an correctly configured AD. But I hope somebody more professional in this field will let us know for sure. Also just an article for the laughs https://www.linkedin.com/pulse/active-directory-dmz-nuts-marcus-rivera – Nico Apr 05 '18 at 12:00

0 Answers0