[OpenAFS] Re: token theft under XP (High security option)
Jonathan Brandmeyer
Jonathan Brandmeyer" <jbrandmeyer@earthlink.net
Sat, 14 Dec 2002 10:38:28 -0500
Sorry, this should attach itself to the right thread.
> Reply-To: <james@abrakus.com>
> From: "James Peterson" <james@abrakus.com>
> To: <openafs-info@openafs.org>
> Cc: <rmdyer@uncc.edu>
> Date: Fri, 13 Dec 2002 09:49:57 -0800
> Subject: [OpenAFS] token theft under XP (High security option)
>
> Token theft is an issue with windows, not necessary with just XP.
>
> Basically there was no solution to destroy tokens when the user logs out
so
> the token is left around for the next user who logs on to grab (if they
know
> the previous username).
>
> I suggest you use the "High security" option. We designed this option to
> make it difficult to grab 'left over tokens' by creating an internal
secret
> user name. Using the High Security option will make it next to impossible
to
> steal your tokens.
>
> If you use Regedit, change the Logon Options parameter to 2 or 3 and
reboot.
>
>
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\TransarcAFSDaemond\Netw
> orkProvider
> LogonOptions = 1 - Integrated Logon
> LogonOptions = 2 - High Security options, Random User name generation
> LogonOptions = 3 - both
>
> James Peterson
> "Integrity is the Base of Excellence"
>
> P.S.
> If someone could direct me to a system 'call back' or process that is
> invoked when a user logs out then I would gladly fix that problem.
In the MSDN library, under:
Securty
Security (General)
SDK Documentation
Authentication
About Authentication
Winlogon and GINA
Winlogon Notification Packages
You will find information that describes how you can register a function
that is notified by winlogon.exe whenever a user logs off the system.
HTH,
Jonathan Brandmeyer