VNC NT Auth fix

Mon, 26 Jul 1999 14:52:49 +0000

-----Original Message-----
From: the wikster [mailto:wik "at" rabidpenguin.org]
Sent: Monday, July 26, 1999 1:14 PM
To: 'vnc-list "at" uk.research.att.com'
Subject: RE: VNC NT Auth fix

[snip]
Maybe, maybe not. :)

Are you sure the U-domain accounts have the "Act as part of the operating
system" advanced user right?

---> Yes, I am logging in with an account in the (User) Domain Admins group,
which has this right in the Machine User Manager.

[snip]
  If you have AllowAdminsOnly, it is possible
that NetUserGetInfo function is returning invalid/incorrect/unusable data
about the user's administrator privilege.  What happens if you set that to
zero (and restart winvnc)?  I have a nagging suspicion that the
NetUserGetInfo function can't always be trusted for returning information
about domain users.  

--> I don't have that key.

Another possibly better solution is to change the patch to only allow
users of a specific named group, e.g. VNC_USERS.  I don't think this would
be too hard to implement (and it would be enabled by a registry key as
well).  

--> Hmmm maybe but wouldn't you have to tie it to a domain, eg U\Domain
Admins?  And even that might not stop a remote hacker creating a U domain
for themselves, being an admin and then trying to link up.  A name check
might not be strong enough.

shriman

Shriman Gurung

System Administrator
sg n datcon n co n uk
Data Connection Ltd. -- http://www.datcon.co.uk/
--Speaking for myself not my employer--

---------------------------------------------------------------------
The VNC mailing list - see http://www.uk.research.att.com/vnc/intouch.html
---------------------------------------------------------------------