Yeah the proper way to do this is to modify the GINA so
that you can bypass normal logon and go to the website. That being said, not a
lot of folks are going to modifying GINAs and anyone who is will find a bit o
trouble with those GINA mods when they start deploying Vista (i.e. they won't
work).
This is a tough nut to crack and the only thing I can
really think of that comes close to secure is the machine that is deployed to a
user also gets a local ID for them as well or possibly a very well locked down
generic local ID that gets added to all workstations. That generic ID should
have IE as the shell so it comes right up in a kiosk type mode right to that web
site or better yet, a custom written gui app that is used as the shell that
exposes that web page and doesn't allow you to do anything but go to that web
page (i.e. not a generic browser). I would also set up the policy for that ID on
every machine such that it can't connect to any machine but the webservers
hosting the kiosk website across the network... i.e. access this machine from
the network DENY for the local generic userid. That would prevent someone from
using runas or something like that to go surfing across other machines in an
anonymous way since the passwords are all synced. It is a lot of work and a lot
of chance of missing something.
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of AWS
Sent: Monday, June 26, 2006 10:34 AM
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] pw reset domain account
On 6/25/06, joe
<[EMAIL PROTECTED]>
wrote:
Err, maybe you can fill in more detail. I am not quite sure what you are saying. Are you saying there is a generic ID to log into the website and it can reset anyone's password or are you saying there is a generic ID with rights to reset anyone's password or ????Either of those solutions wouldn't be optimal and I would love to work in that company for a day with that implemented and have people point out who the dumbass managers were... Or at least their IDs. <eg>Oh I just read that again, is this an idea to give a userid/password to everyone so they can get past the GINA and get to the self service website?
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of AWS
Sent: Sunday, June 25, 2006 6:35 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] pw reset domain account
There's a proposal at my company for a self service password reset website which uses a shared domain account. It's similar to a kiosk configuration, but the intent is to publicize the account and password so that it can be used from any users' pc when needed.They have an account-specific OU/GPO configuration which locks down the typical stuff you would expect, but my position is that there are too many unknown vectors for such an account to be abused.Since I don't dabble in the various black hat utils du jour, does anyone have any thoughts on how a globally known domain account could be hacked upon? Conversely, is there any way such an account could be effectively locked down?Thanks,AW