Security - Global group

[pravin]

Archived from groups: microsoft.public.win2000.security (More info?)

I created a global security group and added machine A into the group.
When I access the machine B through machine A, machine B checks
whether the mahine A is in the global security group. If so, give some
permissions. This works fine.
But when I remove the machine A from global group, machine B somehow
thinks machine A is still in the global group and give permissions to
the request.
Even after rebooting machine B, it does not help. Surprisingly when I
reboot machine A, machine B can realize that machine A is no more in
the global group and deny permissions.

I guess the machine B checks the group SID in the token supplied by machine
A. Does it never get updated?
Is there any way to force this? Doesn't machine B query active directory at
all?

Thanks
Kumaradhas

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

The kerberos service ticket was reissued when server A reboots - not server B. See
the link below on how kerberos issues tickets to computers for access to domain
resources. --- Steve

http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/kerberos.mspx

"Pravin" <pravinkl@rediffmail.com> wrote in message
news:%23Nk2ZyrgEHA.2848@TK2MSFTNGP10.phx.gbl...
>I created a global security group and added machine A into the group.
> When I access the machine B through machine A, machine B checks
> whether the mahine A is in the global security group. If so, give some
> permissions. This works fine.
> But when I remove the machine A from global group, machine B somehow
> thinks machine A is still in the global group and give permissions to
> the request.
> Even after rebooting machine B, it does not help. Surprisingly when I
> reboot machine A, machine B can realize that machine A is no more in
> the global group and deny permissions.
>
> I guess the machine B checks the group SID in the token supplied by machine
> A. Does it never get updated?
> Is there any way to force this? Doesn't machine B query active directory at
> all?
>
> Thanks
> Kumaradhas
>
>

 

[pravin]

Archived from groups: microsoft.public.win2000.security (More info?)

Isn't it a security flaw that even though the Server A is removed from the
global group, still it is not recognized by Server B?
It is surprising that the kerberos service ticket is not updated to reflect
the current settings.

Is there atleast any way to force the checking in Server B?

- Pravin

"Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
news:blMTc.157594$eM2.35698@attbi_s51...
> The kerberos service ticket was reissued when server A reboots - not
server B. See
> the link below on how kerberos issues tickets to computers for access to
domain
> resources. --- Steve
>
>
http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/kerberos.mspx
>
> "Pravin" <pravinkl@rediffmail.com> wrote in message
> news:%23Nk2ZyrgEHA.2848@TK2MSFTNGP10.phx.gbl...
> >I created a global security group and added machine A into the group.
> > When I access the machine B through machine A, machine B checks
> > whether the mahine A is in the global security group. If so, give some
> > permissions. This works fine.
> > But when I remove the machine A from global group, machine B somehow
> > thinks machine A is still in the global group and give permissions to
> > the request.
> > Even after rebooting machine B, it does not help. Surprisingly when I
> > reboot machine A, machine B can realize that machine A is no more in
> > the global group and deny permissions.
> >
> > I guess the machine B checks the group SID in the token supplied by
machine
> > A. Does it never get updated?
> > Is there any way to force this? Doesn't machine B query active directory
at
> > all?
> >
> > Thanks
> > Kumaradhas
> >
> >
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

I don't consider it a security flaw. It is highly unusual for someone to change group
memberships on a frequent basis and if they are, they need to take a look at the
logic behind their configuration. I suppose extra checking could be implemented but
at a performance cost. If you have special needs you can configure the lifetime of
kerebros tickets in Domain Security Policy to suit your special needs. --- Steve


"Pravin" <pravinkl@rediffmail.com> wrote in message
news:eq5O3i0gEHA.632@TK2MSFTNGP12.phx.gbl...
> Isn't it a security flaw that even though the Server A is removed from the
> global group, still it is not recognized by Server B?
> It is surprising that the kerberos service ticket is not updated to reflect
> the current settings.
>
> Is there atleast any way to force the checking in Server B?
>
> - Pravin
>
> "Steven L Umbach" <n9rou@n0-spam-for-me-comcast.net> wrote in message
> news:blMTc.157594$eM2.35698@attbi_s51...
>> The kerberos service ticket was reissued when server A reboots - not
> server B. See
>> the link below on how kerberos issues tickets to computers for access to
> domain
>> resources. --- Steve
>>
>>
> http://www.microsoft.com/technet/prodtechnol/windows2000serv/maintain/security/kerberos.mspx
>>
>> "Pravin" <pravinkl@rediffmail.com> wrote in message
>> news:%23Nk2ZyrgEHA.2848@TK2MSFTNGP10.phx.gbl...
>> >I created a global security group and added machine A into the group.
>> > When I access the machine B through machine A, machine B checks
>> > whether the mahine A is in the global security group. If so, give some
>> > permissions. This works fine.
>> > But when I remove the machine A from global group, machine B somehow
>> > thinks machine A is still in the global group and give permissions to
>> > the request.
>> > Even after rebooting machine B, it does not help. Surprisingly when I
>> > reboot machine A, machine B can realize that machine A is no more in
>> > the global group and deny permissions.
>> >
>> > I guess the machine B checks the group SID in the token supplied by
> machine
>> > A. Does it never get updated?
>> > Is there any way to force this? Doesn't machine B query active directory
> at
>> > all?
>> >
>> > Thanks
>> > Kumaradhas
>> >
>> >
>>
>>
>
>

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

hey cn any1 help me with the network security

 

[Guest]

Archived from groups: microsoft.public.win2000.security (More info?)

Sure. Do you have a specific question? The links below are also good places to
tart. --- Steve

http://www.microsoft.com/technet/security/default.mspx
http://www.microsoft.com/technet/security/prodtech/win2000/win2khg/default.mspx
http://www.infosec.uga.edu/windows.html

"mighty_kid" <anonymous@discussions.microsoft.com> wrote in message
news:746601c48440$9c7d0970$a501280a@phx.gbl...
> hey cn any1 help me with the network security
>