Archived from groups: microsoft.public.platformsdk.security,microsoft.public.security,microsoft.public.windowsxp.general,microsoft.public.windowsxp.security_admin,microsoft.public.dotnet.security (
More info?)
OK, I stand corrected (maybe).
I won't consider myself an expert in the LSA negotiations that take place
between a domain controller and a workstation. However, it was always my
understanding that the member computer had it's own authentication method to
the domain controller which granted the computer access to the directory
objects, and then the user authenticated on top of that. I also made the
assumption that the computer authentication method established a secure
communication channel between the member computer and the domain server for
further RPC authentication communication.
I workgroup mode, the requests are still tunneled across of the RPC
communications but do not have a pre-established communication channel,
therefore a public/public encryption method is used (isn't this the embedded
nt hash algorithm?).
While the authentication ticket is usually the only thing that is ever
encrypted in both of these scenarios and all other communication remains
un-encrypted in both environments, the authentication ticket between a
directory server and a member workstation I presume is more secure than the
authentication ticket between two workgroup computers.
This is all my presumption and speculation on the little bit of
understanding I have, and did not mean for it to be percieved as absolute
expert opinion, especially in terms of proper terminology. I do challange
any EXPERT to explain in detail the actuals pertaining to this particular
part of this thread.
Point to the requestor was that While domain membership has it's advantages,
if Fast User Switching was that important to him, there would be a risk
involved, and the degree to which I was not absolutely certain.
Thanks,
"Paul Adare" <padare@newsguy.com> wrote in message
news:MPG.1d99b17acfee14f4989e8b@msnews.microsoft.com...
> In article <uZeLM0cvFHA.2568@TK2MSFTNGP10.phx.gbl>, in the
> microsoft.public.security news group, MCSEGURU <mcseguruhere@aol.com>
> says...
>
>> and therefore does not have the hightened security of a
>> computer certificate for Kerberos Authentication encryption, and without
>> that trust, will send usernames and more importantly passwords across the
>> network much more frequently,
>>
>
> Sorry "guru" but you've got some technical inaccuracies here. A domain
> environment does not automatically provide certificates for use with
> Kerberos authentication. That requires a public key infrastructure to be
> in place, and even then, certificates are only involved in the user, not
> computer logon process, and only if using a smart card for logon.
> Secondly, even in a pass-through authentication environment, passwords
> are _never_ sent across the wire.
>
> --
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/
> "The English language, complete with irony, satire, and sarcasm, has
> survived for centuries without smileys. Only the new crop of modern
> computer geeks finds it impossible to detect a joke that is not clearly
> labeled as such."
> Ray Shea