So I'm at Sydney Domestic Airport train station waiting for a train to Circular Quay when I noticed that one of the displays was waiting patiently at a Windows 95-like login screen.
During my wait, a tech logged into the system (which was actually a Windows NT4 Workstation) as a domain administrator and proceeded to fix the workstation.
At one point during the remediation, the tech had entered the domain administrator's password in clear text! (The AutoAdminLogon stage from memory) In addition to this, the tech was browsing the network list and accessing various network shares to resolve the problem at hand.
Thankfully this was on only one set of displays and not all the displays in the station, so at least there's some redundancy in the displays. Unfortunately I have no idea of the technical skills nor the ethics of the people around me who were amused by this diversion.
So now I have the domain administrator's password for one of CityRail's domains, a list of domains/workgroups in their network and a list of PCs in one of their domains.
This information was reported to station staff at Circular Quay, but they weren't really interested, didn't see it as a security problem and said that their IT staff knew what they were doing. A quick browse of their Web site gave a 1800 number, which was answered by a staff member who did understand the security implications, so hopefully the domain administrator password has been changed
A large scale deployment of PDTs like this should be deployed using an automated deployment system (which is probably done in CityRail's case) and any remediation should be performed by a rebuild from either network or local unattended install media (which doesn't seem to be the case here). At the very least, the public displays should be disabled to prevent sensitive information leakage.
If you have PDTs in place, please make sure you have some good policies and procedures in place to prevent this embarrassing type of situation.
No comments:
Post a Comment