Marco Gaiarin schrieb: > Mandi! Tomasz Chmielewski > In chel di` si favelave... > >> As in 99% cases wpkg.js sits on the remote server, it is by definition >> insecure, isn't it? > > It's a pint of view... > >> Handling security by something which is hosted on a potentially not >> secure machine isn't the best idea - you would never know if it's your >> or attacker's wpkg.js. > > Indeed ther's some different problems to take care. > > What i'm speaking about is a: > > a) an attacker have no access to the server (indeed, done that we have > no more things to speak about... ;), no access to the clients apart > one/two to get some knowledge on the system
Just bring a laptop with an evil server installed, and connect workstation's cable to it. > b) the attacker want to take control of all clients (that use WPKG, of > course). > > In a scenario like that, currently, and if not using a domain account > to access WPKG shares, to the attacker suffices to do a DOS against the > server, tear it down, start their hacked server *and* restart clients > to be able to install whatever on client machine. > I think this is a simple attack, but it costs so much because you have > to shut down server *and* all client to force WPKG execution on all > cient, and doing so without that sysadmin or users note that it is > really hard... What we should care about, is the way to make sure we connect to the right server. Nothing more, nothing less. Which can be a little hard to do - for example here with my setup, the clients connect to a server called "branchserver" - which is just a DNS entry to ease the management - it's easier to do so with multiple servers around the country. So, in the above scenario, I don't connect to a real name of the server, but to some DNS alias instead. The question - how does the Windows client know it's connecting to the legitimate domain server when the user logs on? -- Tomasz Chmielewski http://wpkg.org ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ wpkg-users mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/wpkg-users
