Can a website use your Windows network authentication?

[GoodEnough]

What is it called when you're logged into a Win network, and you go on some intranet site, and it doesn't ask for your login since you're already logged into Windows, and that service just uses the same login profile? Single sign on? LDAP?

What if you go to an external website? Can it try to do the same thing, and figure out your Win username and just log you in automatically?

 

[John Connor]

What if you go to an external website? Can it try to do the same thing, and figure out your Win username and just log you in automatically?

There's a difference between Intranet and Internet. So the policies and what have you would most likely prevent an Internet connection to log into an Intranet connection. But hacking a network is not out of the question.


http://imgur.com/gallery/fqjnK

 

[quikah]

Yes, but the website would need to support Microsoft Passport.

 

[Billb2]

...if you haven't done it yet, spend 10 minutes on the dark web.

 

[Red Squirrel]

I've seen some intranet IE sites do it ex: Citrix. So I imagine IE can probably send your windows credentials/session info to a site if it's requested through some kind of scripting. So I can't see what would stop an internet site from acting the same as an intranet site. I'm surprised this is not exploited more actually. Browsers are by design super insecure because of all the scripting crap that sites are allowed to do. Drive by spyware sites for example use various scripting in order to load programs on your computer and run them. Essentially infecting it by simply loading a web page.

 

[nexus5rocks]

What is it called when you're logged into a Win network, and you go on some intranet site, and it doesn't ask for your login since you're already logged into Windows, and that service just uses the same login profile? Single sign on? LDAP?

What if you go to an external website? Can it try to do the same thing, and figure out your Win username and just log you in automatically?

It's called single sign on, and it works on your domain because of kerberos authentication.
Making this work outside the domain/realm, is messy, if not extremely difficult/impossible, and definitely insecure as you do not want to expose your KDC to the public intertubes.
What you need is a federation solution like ADFS or Ping that uses SAML authentication.

 

[core2slow]

Single sign on for internal network and ADFS for external vendor access.

 

[John Connor]

I've seen some intranet IE sites do it ex: Citrix. So I imagine IE can probably send your windows credentials/session info to a site if it's requested through some kind of scripting. So I can't see what would stop an internet site from acting the same as an intranet site. I'm surprised this is not exploited more actually. Browsers are by design super insecure because of all the scripting crap that sites are allowed to do. Drive by spyware sites for example use various scripting in order to load programs on your computer and run them. Essentially infecting it by simply loading a web page.

NoScript. Use it, love it... Hell, make love to it! It wil love you more than a woman! LOL!

 

[Red Squirrel]

NoScript. Use it, love it... Hell, make love to it! It wil love you more than a woman! LOL!

I've tried to use it, but it just makes the internet super annoying to use. Like every single site you land on you need to figure out which hosts you need to allow so the site even loads. Sites are so terribly designed now days. The real fix would be if browsers would not allow scripts to do anything outside of it's own tab. I don't get why nobody has coded such browser yet. I suppose you could run a browser in a chroot jail though. I've briefly read on it but it's quite involved.

 

[John Connor]

I've tried to use it, but it just makes the internet super annoying to use. Like every single site you land on you need to figure out which hosts you need to allow so the site even loads. Sites are so terribly designed now days. The real fix would be if browsers would not allow scripts to do anything outside of it's own tab. I don't get why nobody has coded such browser yet. I suppose you could run a browser in a chroot jail though. I've briefly read on it but it's quite involved.

I know what you're talking about. Yes, NoScript can be very cumbersome to say the least. What I do is allow base 2nd level domains by default to lessen the cumbersomeness. But despite that, very feature rich and/or poorly designed pages use tons of scripts. So if I trust the site I'll just allow all scripts temporally for the whole page. Or I'll go through and look at each script and use an educated guess as to which scripts need to be allowed. Cloudfront is a notable one. That is Amazon's S3 content delivery network. It needs to be allowed. But simply allowing all scripts even temporally defeats the purpose doesn't it? Well, I use layers and it that I use VooDoo Shield and Sandboxie. So if something tries to enter my machine it's gonna have a hard time.

Some sites are so damn scrip laden and with all the privacy/security addons I have I need to use another plain vanilla browser to access just that site and use its features. This is espeially true if you're filling out taxes online. Just use a plain vanilla browser. You don't want to break anything. I keep Chrome, Cyberfox, Firefox and Pale Moon on here.