On Tue, 30 Jul 1996, Peter da Silva wrote:
> Assuming they're using normal NT authentication mechanisms, failover to a
> BDC is automatic, and the echange is encrypted but not one-time encrypted.
But is the key already established? Or will any box that answers the
query be believed? I'm still putting together my NT machine requests, so
I've not had time to play with this, but I'm curious about it. If there
is a way for me to man-in-the-middle this, or worse yet, just advertise
myself as a BDC, after dropping the PDC off the net, then I'm going to
have to look at where our PDCs are and what we do in the event of a
failure a whole lot harder if/when we decide to move to that strategy.
It also starts to play into how I structure my routing, since I'll have to
be very careful about extra routes put into my pool to segment off a
network that contains my PDC, and then advertise a short path to the BDC.
If I looped the PDC routes, then asserted myself as a BDC, then I'd win,
right? Or is there some good under-the-covers authentication stuff going
on?
>
> It should be possible to have the firewall rights only enabled for local
> users and not domain users. I would assume they've done so, but more info
> would be appreciated.
>
ditto.
Paul
-----------------------------------------------------------------------------
Paul D. Robertson "My statements in this message are personal opinions
proberts @
clark .
net which may have no basis whatsoever in fact."
PSB#9280
References:
|
|
