Can i run more then one session on the computer?

[Guest]

Archived from groups: microsoft.public.platformsdk.security,microsoft.public.security,microsoft.public.windowsxp.general,microsoft.public.windowsxp.security_admin,microsoft.public.dotnet.security (More info?)

Multiple sessions is pretty feature of XP. In domain environment its not
working by default. How can i use this feature in domain environment? May be
Vista can help me?

 

[Guest]

Archived from groups: microsoft.public.platformsdk.security,microsoft.public.security,microsoft.public.windowsxp.general,microsoft.public.windowsxp.security_admin,microsoft.public.dotnet.security (More info?)

You can't. By default, Fast User Switching is administratively disabled by
the OS when you join a domain. MS will not allow this service to run when
in "Domain" mode. The theory is that network connections may be able to be
shared across the different users, using the computer, and this weakens the
client/server security.

However, you can do what I do. Leave your computer's in workgroup mode,
just as long as their workgroup is the exact same name as the domain you
would be joining them to. Ensure all the local passwords on the PC's match
the passwords on the Domain Server, and it works wonderfully. Now I
wouldn't take this solution to the bank just yet. There are risks
associated with this solution. The security between client and server is
weakened with this solution, as the client computer is no longer an Active
Directory object, and therefore does not have the hightened security of a
computer certificate for Kerberos Authentication encryption, and without
that trust, will send usernames and more importantly passwords across the
network much more frequently, however you are never prompted, and if on the
wire security is not a huge issue for you, I would think you could accept
these risks and implement the solution. I myself accept the risk, cause I
don't see how anyone's going to sniff me out. I'd have to let them in the
door first, ya know. The old pysical security vs. data security argument.

As far as the shared network access thing why the service is disabled win
Domain mode, I myself have not seen the network connections security
contexts to be a problem, when my wife uses my computer, she definately
doesn't have access to my porn, I've tried, so maybe MS has another reason
for disabling it. I really don't know.



"Shurick" <Shurick@discussions.microsoft.com> wrote in message
news:E74C501D-4D6D-451A-867D-0C1DE8030EC9@microsoft.com...
> Multiple sessions is pretty feature of XP. In domain environment its not
> working by default. How can i use this feature in domain environment? May
> be
> Vista can help me?

 

[Guest]

Archived from groups: microsoft.public.platformsdk.security,microsoft.public.security,microsoft.public.windowsxp.general,microsoft.public.windowsxp.security_admin,microsoft.public.dotnet.security (More info?)

In article <uZeLM0cvFHA.2568@TK2MSFTNGP10.phx.gbl>, in the
microsoft.public.security news group, MCSEGURU <mcseguruhere@aol.com>
says...

> and therefore does not have the hightened security of a
> computer certificate for Kerberos Authentication encryption, and without
> that trust, will send usernames and more importantly passwords across the
> network much more frequently,
>

Sorry "guru" but you've got some technical inaccuracies here. A domain
environment does not automatically provide certificates for use with
Kerberos authentication. That requires a public key infrastructure to be
in place, and even then, certificates are only involved in the user, not
computer logon process, and only if using a smart card for logon.
Secondly, even in a pass-through authentication environment, passwords
are _never_ sent across the wire.

--
Paul Adare
MVP - Windows - Virtual Machine
http://www.identit.ca/blogs/paul/
"The English language, complete with irony, satire, and sarcasm, has
survived for centuries without smileys. Only the new crop of modern
computer geeks finds it impossible to detect a joke that is not clearly
labeled as such."
Ray Shea

 

[Guest]

Archived from groups: microsoft.public.platformsdk.security,microsoft.public.security,microsoft.public.windowsxp.general,microsoft.public.windowsxp.security_admin,microsoft.public.dotnet.security (More info?)

OK, I stand corrected (maybe).
I won't consider myself an expert in the LSA negotiations that take place
between a domain controller and a workstation. However, it was always my
understanding that the member computer had it's own authentication method to
the domain controller which granted the computer access to the directory
objects, and then the user authenticated on top of that. I also made the
assumption that the computer authentication method established a secure
communication channel between the member computer and the domain server for
further RPC authentication communication.

I workgroup mode, the requests are still tunneled across of the RPC
communications but do not have a pre-established communication channel,
therefore a public/public encryption method is used (isn't this the embedded
nt hash algorithm?).

While the authentication ticket is usually the only thing that is ever
encrypted in both of these scenarios and all other communication remains
un-encrypted in both environments, the authentication ticket between a
directory server and a member workstation I presume is more secure than the
authentication ticket between two workgroup computers.

This is all my presumption and speculation on the little bit of
understanding I have, and did not mean for it to be percieved as absolute
expert opinion, especially in terms of proper terminology. I do challange
any EXPERT to explain in detail the actuals pertaining to this particular
part of this thread.

Point to the requestor was that While domain membership has it's advantages,
if Fast User Switching was that important to him, there would be a risk
involved, and the degree to which I was not absolutely certain.

Thanks,


"Paul Adare" <padare@newsguy.com> wrote in message
news:MPG.1d99b17acfee14f4989e8b@msnews.microsoft.com...
> In article <uZeLM0cvFHA.2568@TK2MSFTNGP10.phx.gbl>, in the
> microsoft.public.security news group, MCSEGURU <mcseguruhere@aol.com>
> says...
>
>> and therefore does not have the hightened security of a
>> computer certificate for Kerberos Authentication encryption, and without
>> that trust, will send usernames and more importantly passwords across the
>> network much more frequently,
>>
>
> Sorry "guru" but you've got some technical inaccuracies here. A domain
> environment does not automatically provide certificates for use with
> Kerberos authentication. That requires a public key infrastructure to be
> in place, and even then, certificates are only involved in the user, not
> computer logon process, and only if using a smart card for logon.
> Secondly, even in a pass-through authentication environment, passwords
> are _never_ sent across the wire.
>
> --
> Paul Adare
> MVP - Windows - Virtual Machine
> http://www.identit.ca/blogs/paul/
> "The English language, complete with irony, satire, and sarcasm, has
> survived for centuries without smileys. Only the new crop of modern
> computer geeks finds it impossible to detect a joke that is not clearly
> labeled as such."
> Ray Shea