UtterAccess.com
X   Site Message
(Message will auto close in 2 seconds)

Welcome to UtterAccess! Please ( Login   or   Register )

Custom Search
 
   Reply to this topicStart new topic
> Apple Can See Network    
 
   
usuallyconfused
post May 18 2012, 09:25 AM
Post#1



Posts: 6
Joined: 19-March 02



Hi. We have a Windows 2008 server based network and a couple of wireless access points for clients to access the internet. There is the normal security on the wireless, requiring people to know the password to connect, but apart from that, we rely on the standard domain security to stop people seeing our network.
Well, someone came in the other day with an Apple laptop, and in just a few clicks, was able to see all our computers and access all our files!
How can this be and more importantly, how can we prevent it?
Thanks.
Go to the top of the page
 
BananaRepublic
post May 18 2012, 09:43 AM
Post#2


Dungeon Cleaner
Posts: 1,520
Joined: 16-June 07
From: Banana Republic


I'm going to bet that there's other protocol that's enabled which allows you to bypass the domain entirely. If people happened to use the NTLM, they were going to play by the domain's rule but if they connected with different protocol, then they don't even know about the rules.
How exactly did the Apple laptop authenicate itself when connecting to the wireless access point?
Go to the top of the page
 
usuallyconfused
post May 18 2012, 11:08 AM
Post#3



Posts: 6
Joined: 19-March 02



Thanks for the reply. I was not there but was told in full detail by someone who was.
He would have simply been asked for the wireless password, which is public knowledge for the clients and staff. However, as I understand it, he then simply went to the Mac equivalent of My Network Places and there was our network and all the PCs. As far as I know, he did not try and get onto the server but all the PCs could be got into and he could open files.
I have yet to replicate his actions but will do soon.
Go to the top of the page
 
Bob G
post May 18 2012, 11:45 AM
Post#4


UtterAccess VIP
Posts: 11,184
Joined: 24-May 10
From: CT


this is an overview as the topic can get very deep very fast. in a wireless environment, you should have a vlan for the normal business users and one for "guests" the guest vlan would not have permission to see the corporate network but be able to access the internet. this would entail having at least 2 different SSID on the wireless access point.
You can google guest wireless .
Go to the top of the page
 
BananaRepublic
post May 18 2012, 11:51 AM
Post#5


Dungeon Cleaner
Posts: 1,520
Joined: 16-June 07
From: Banana Republic


How does that answer the original question that the Mac was able to access all network resources where other couldn't? Guest wireless may help separate guests from clients/employees but if I were the IT administrator of this network, I'd be far more worried about the fact that the network was in fact unprotected all the time and everyone were blocked because they so cooperatively used the same protocol to log in and access the network resources. I would not assume that this is limited to Apple (e.g. a user with Windows and enough know-how could figure out how to do the same thing that Mac did automatically)
The unfortunate fact of security is that it's far easier to fool yourself thinking it's secured than it is to actually secure it.
Go to the top of the page
 
Bob G
post May 18 2012, 12:05 PM
Post#6


UtterAccess VIP
Posts: 11,184
Joined: 24-May 10
From: CT


without knowing exactly what the apple person did there is no way to answer the original question.
presented a general idea of how to avoid it in the future. potentially
Go to the top of the page
 
timbailey
post May 18 2012, 03:02 PM
Post#7



Posts: 272
Joined: 2-November 04



Network security is a complex subject. How many people have passwords on sticky notes on their monitors?
That is "normal security on the wireless"? If it is WEP, the access point is just about useless for security and you are relying fully on your network security. If it is WPA/PSK or WPA2/PSK, you need to use a very strong password on it. I would recommend a pass phrase including special characters. Wireless network hacking tools like aircrack-ng are available in Linus, OS/X and Windows flavors. These tools can usually get into any WEP-protected network in a couple of minutes at most. They usually use dictionary attacks against WPA-protected wireless.
Keep in mind that all of your wireless-connected computers are also potential entry routes. If anybody has their wireless connection configured so that their computer can act as an access point, that computer can allow similar access to the network AND IT IS ALREADY LOGGED IN with an authenticated user.
Similarly, What is "standard domain security"? Your network should only allow access to authenticated users. It should have a security policy requiring a strong password and periodic password changes.
Go to the top of the page
 
CyberCow
post May 18 2012, 03:53 PM
Post#8


UdderAccess Admin + UA Ruler
Posts: 19,557
Joined: 27-April 02
From: Upper MI


It sounds like the LAN, domain, and/or Active Directory are not properly set up. A definite security issue - no one should be ablle to access a properly setup lan without first joining the machine to the domain; and that requires (or should) a Domain Admin password.
The Server 2008 roles need to be checked and double-checked. The Apple user might be able to "see" the objects on even a minimum security setup, but should never be able to actually touch ANY files. The only access such a user should have is internet access and not even be able to "see' the other objects on the LAN.
Can you assay the Domain Controller's roles?
Is Active Directory in place with a proper domain controller?
All that functionality and control is available with the Server 2008 machine.
hope this helps
Go to the top of the page
 
usuallyconfused
post May 19 2012, 12:38 PM
Post#9



Posts: 6
Joined: 19-March 02



The wireless security is not the problem. The guy concerned was given the wireless password so he could use the internet, so no hacking was involved. However, as you say, the network should only allow access to authenticated users.
Go to the top of the page
 
usuallyconfused
post May 19 2012, 12:48 PM
Post#10



Posts: 6
Joined: 19-March 02



I agree with all that you say. However, all I know is that a standard 2008 server is in place with all PC users connected to the domain. I added the wireless access points and if any staff need to use a laptop, then I add it to the domain. As far as I can tell, the Active Directory is properly in place and everything is working. Some directories have permissions set up and they cannot be accessed by anyone other than those with the correct permissions.
bviously things are not set up right but can you suggest where I might start to correct things?
Thanks.
Go to the top of the page
 
CyberCow
post May 19 2012, 08:44 PM
Post#11


UdderAccess Admin + UA Ruler
Posts: 19,557
Joined: 27-April 02
From: Upper MI


To begin making suggestions for better DC/AD security (both wired and wireless) I will need a clear understanding of the LAN/Domain setup.
First, I would try hard plugging a non-domained laptop to the system and see what is accessible. That expose any errors that might on wired system. I always start there because thw wireless stough stems from the hardware setup.
When I get bak to my desk, I will dig out some of my notes on the matter and render more detail later. There are quite a few steps involved.
Go to the top of the page
 
usuallyconfused
post May 20 2012, 01:47 AM
Post#12



Posts: 6
Joined: 19-March 02



Thank you. Much appreciated. I will in on Monday with both a Windows and Apple laptop and see what I can find!
Go to the top of the page
 
CyberCow
post May 20 2012, 08:34 AM
Post#13


UdderAccess Admin + UA Ruler
Posts: 19,557
Joined: 27-April 02
From: Upper MI


If things are set up correctly for the wired aspect of connecting a foriegn device, any attempts to acquire a file from the LAN should require a user id and password. Otherwise, there are issues that will need to be tracked and eliminated.
Go to the top of the page
 


Custom Search


RSSSearch   Top   Lo-Fi    24th January 2020 - 09:14 PM