[OpenAFS-devel] Multi-User Windows 2000 Token security

James Peterson jimpeter@us.ibm.com
Wed, 26 Sep 2001 17:24:42 -0700 

As others have mentioned there is a security problem with Windows 2000 in a
multi-user environment.

The following case was described earlier:

> - Logon as user A, get an AFS token
> - Open up a command prompt window running as user B:
>       runas /user:B /prof cmd.exe
> - Verify that user B has no token at this point
> - From the B window:
>      net use p: \\<machine>-afs\all /user:A
> - "tokens" shows that B now has A's token and can access AFS using that
> token.  If either user klogs or unlogs at this point, they affect the
> same token.  I also noticed that if B uses drive mappings other than the
> one created above to access AFS, access is VERY slow, but is granted
> according to A's token.  If B uses the newly mapped drive, access is
> much faster.
> - Deleting the drive mapping (net use p: /d) makes things go back to
> normal, and B no longer has a token.
>

This problem also shows up for mulit-users on a single W2000 :

- Logon as User A
- Obtain Token
- Logoff User A
- Logon as User B
- From command window - net use * \\machine-afs\home /user:User A
- You now have access to User's A tokens, without knowing their AFS
password!

This problem comes from the way Windows 2000 SMB client handles NET USE
/USER and the way Open AFS cache-manager simulates a SMB server.

When a NET USE is done with the alternate user option, the SMB client will
send an SMB request to the Open AFS cache-manager using alternate user
name.   In this example; the cache-manger will match the UserName &
MachineName to User A token.    Thus giving User B use of User A's token.

Previous implementations of Open AFS for Windows limited token matching
within the same session.  Windows NT would only have one SMBsession per
user logon.  The token match would work only if the
SMBsession/UserName/machine matched.   No problem here.

Windows 2000 can create many SMBsessions per logon session and in some
cases the same SMBsession can be used across a User Logoff and next User
Logon.    In order to avoid loosing access to tokens or requiring token
authentication each SMB session, token matching was limited to MachineName
and UserName, ignoring SMB session number.    Hence the "Multi-User Windows
2000 Token security" bug.

Currently I do not have a solution and I would be happy to hear any
suggestions.

The only work around is, for multi-user Windows 2000 configure it so that
all Logon require a restart.

Note: this discussion does not include issues for multiple users on a
Terminal Server or Telnet into a Windows box.

James Peterson
"Integrity is the base of excellence."