[OpenAFS] token theft under XP (High security option)
James Peterson
james@abrakus.com
Fri, 13 Dec 2002 09:49:57 -0800
Token theft is an issue with windows, not necessary with just XP.
Basically there was no solution to destroy tokens when the user logs out so
the token is left around for the next user who logs on to grab (if they know
the previous username).
I suggest you use the "High security" option. We designed this option to
make it difficult to grab 'left over tokens' by creating an internal secret
user name. Using the High Security option will make it next to impossible to
steal your tokens.
If you use Regedit, change the Logon Options parameter to 2 or 3 and reboot.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemond\Netw
orkProvider
LogonOptions = 1 - Integrated Logon
LogonOptions = 2 - High Security options, Random User name generation
LogonOptions = 3 - both
James Peterson
"Integrity is the Base of Excellence"
P.S.
If someone could direct me to a system 'call back' or process that is
invoked when a user logs out then I would gladly fix that problem.