[OpenAFS] token theft under XP

Charles Clancy security@xauth.net
Wed, 11 Dec 2002 12:35:32 -0600 (CST)


Scenario:
1. domain user 'x' logs in, gets tokens
2. 'x' logs out
3. local machine administrator goes in and creates local user 'x'
4. log in as local user 'x'
5. local user has access to the token and drive mappings obtained by the
   domain user

The seriousness of this could easily be argued away, but perhaps it could
be solved by associating tokens with one's fully qualified username (i.e.
DOMAIN\username or COMPUTER\username).

Just a thought.

[ t charles clancy ]--[ tclancy@uiuc.edu ]--[ www.uiuc.edu/~tclancy ]