[krbdev.mit.edu #5821] REQ: in-registry keytab support
Jeffrey Altman via RT
rt at krbdev.mit.edu
Thu Oct 18 16:59:39 EDT 2007
Sam Hartman via RT wrote:
> However, many of the other examples are cases where reusing keys would
> significantly harm security. The AFS case is particularly alarming.
> Pushing out the same key for anonymous cell access would decrease
> security by allowing anyone with this key to impersonate the cell.
I wouldn't be thrilled with this use case either and I'm sad it was
brought up.
The AFS Client Service is going to add a feature that permits it to use
the Windows host
principal to obtain tokens. The Windows host principal is either keyed
during the domain
join operation or with KSETUP. In either case, the host password is
stored in a protected
part of the HKLM hive which is only accessible to the SYSTEM account.
This hive can be encrypted on local disk and when that functionality is
enabled, a password
must be entered before Windows will boot.
>
> I'm also concerned about whether group policy has the appropriate
> confidentiality protection for this use. How is group policy pushed
> to a machine? Is it encrypted in transit? Can a machine find out the
> group policy of someone else?
In Vista, group policy data is pushed to machines over TLS. I would
need to go back to verify
that XP does the same.
Group Policy data is pushed to all the machines which are members of the
group. A single
machine account can be treated as a group of one member. Policy data
associated with a
single machine will only be sent to that machine. Obviously, domain
administrators will
have the ability to view or manipulate that data.
It should be noted that group policy can also be used to push out
applications or configuration
files. Therefore, creating a registry based keytab does not increase
the risk of abuse. It
simply puts the key data in a location that is more likely to be secured
than a file.
More information about the kfwdev
mailing list