6

My Experiment

  • So I set up a simple network with Two computers. Both on the same Work group.
  • I created a LOCAL user 'A' with pasword 'A' in Computer 1.
  • And then I created an identical named LOCAL user 'A' with identical password 'A' on Computer 2.

My Observation

  • What I notice is that when I'm logged in as 'A' in computer 2, I am allowed network access as 'A' in Computer 1. E.g. when browing 'A' shared folders.

My Thoughts

  • This is ironic as even though they are the identical in name, they are acutally two different LOCAL users on two different computers!
  • This to me can be a security hazard. What if coincientially a Person has the same username and password in computer 2 thus incorrectly given access to Computer 1?

My Question:

  • What is this sharing of username and password called?
  • How come identical name and authentication between two windows PCs on same network works?
  • How do we enable/disable this sharing of identical LOCAL usernames and passwords between two computers?

I've also realized that this works during DCOM calls as well.

Thank you for any answers

user1034912
  • 1,335
  • 3
  • 14
  • 20
  • Repeat the experiment, and this time use different passwords on each computer. – Michael Hampton May 03 '13 at 05:20
  • i did that it, it doesn't work – user1034912 May 06 '13 at 08:01
  • Crossposts: [1. @1:37](https://stackoverflow.com/posts/16350301/revisions), [2. @1:37](https://superuser.com/questions/590948/how-to-disable-setup-same-name-and-same-password-authentication-between-two-wind?noredirect=1&lq=1), [3. @2:00](https://superuser.com/questions/590864/how-to-disable-setup-same-name-and-same-password-authentication-between-two-wind), [4. @3:34](https://serverfault.com/questions/504662/how-come-identical-name-and-authentication-between-two-windows-pcs-on-same-netwo) – StackzOfZtuff Apr 18 '17 at 08:44

2 Answers2

4

--- This is a really high level summary over-view, don't expect anything technical here ---

Let's get started:

What is this sharing of username and password called?

"By Design"... or more specifically, "pass-through authentication".

How come identical name and authentication between two windows PCs on same network works?

Because this is what it's designed to do. When Windows attempts to access a network resource, and the resource requires authentication, it sends through its current username and password. The receiving computer then authenticates this and returns success or failure. (This is really, really simplified, it doesn't actually broadcast your password but I'm going to KISS).

How do we enable/disable this sharing of identical LOCAL usernames and passwords between two computers?

Honestly, this isn't what you want. Mainly because the user will just then type their username and password into the credentials box, and then get the same access they would have had previously. Instead, you should be applying security on the shares/resources to ensure that only the people you want to have access have access.

Mark Henderson
  • 68,316
  • 31
  • 175
  • 255
  • Thanks, great answer. On a similar topic, would this still work if the two machines were on different domains? – user1034912 May 03 '13 at 04:33
  • @user1034912 - absolutely, if there is a trust between the two domains; because they both get their authentication info from the domain rather than their local user store. If there is no trust though, then no, it won't work. – Mark Henderson May 03 '13 at 04:55
1

After you log in, Win box will take your password and store its LM and NT hashes in kernel memory, to have this SSO function on workgroups and NT4 domains. (On Active Directory domains, the Kerberos TGT obtained when you enter the password is stored as well.) User-space programs can't use these hashes directly, but they can ask the kernel to connect to a SMB server using the stored password/ticket, or to perform NTLM challenge-response operation or Kerberos auth on behalf of the app/service for other protocols such as IMAP or HTTP. Also, Windows uses MD4 hashes for both local authentication and NTLM, but this is not important – it could as well keep plain-text password in memory if it was needed. Hope this explains.

Danila Ladner
  • 5,241
  • 21
  • 30