[OpenAFS] Re: OpenAFS-info digest, Vol 1 #972 - 10 msgs

Jonathan Brandmeyer Jonathan Brandmeyer" <jbrandmeyer@earthlink.net
Sat, 14 Dec 2002 10:21:12 -0500


> Reply-To: <james@abrakus.com>
> From: "James Peterson" <james@abrakus.com>
> To: <openafs-info@openafs.org>
> Cc: <rmdyer@uncc.edu>
> Date: Fri, 13 Dec 2002 09:49:57 -0800
> Subject: [OpenAFS] token theft under XP (High security option)
>
> Token theft is an issue with windows, not necessary with just XP.
>
> Basically there was no solution to destroy tokens when the user logs out
so
> the token is left around for the next user who logs on to grab (if they
know
> the previous username).
>
> I suggest you use the "High security" option.  We designed this option to
> make it difficult to grab 'left over tokens' by creating an internal
secret
> user name. Using the High Security option will make it next to impossible
to
> steal your tokens.
>
> If you use Regedit, change the Logon Options parameter to 2 or 3 and
reboot.
>
>
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemond\Netw
> orkProvider
>      LogonOptions = 1 - Integrated Logon
>      LogonOptions = 2 - High Security options, Random User name generation
>      LogonOptions = 3 - both
>
> James Peterson
> "Integrity is the Base of Excellence"
>
> P.S.
> If someone could direct me to a system 'call back' or process that is
> invoked when a user logs out then I would gladly fix that problem.

In the MSDN library, under:
Securty
    Security (General)
        SDK Documentation
            Authentication
                About Authentication
                    Winlogon and GINA
                        Winlogon Notification Packages
 You will find information that describes how you can register a function
that is notified by winlogon.exe whenever a user logs off the system.

HTH,
Jonathan Brandmeyer