-
September 8th, 2003, 11:11 PM
#1
Password Change Hole
a. ok now, what you need to do is to:
>> run compmgmt.msc b. and >>click on local
>> users and groups.
>> Open 'users' folder.
>> Double Click On the user of your choice
The Form Should Have:
<Label> "user name"
full name: <textbox>
description: <Textbox>
<Checkbox> user must change password at next logon
<Checkbox> user cannot change password
<Checkbox>(Checked) password never expires
<Checkbox> account is disabled
<Checkbox> account is locked out
<3 Buttons>"ok" "cancel" "apply"
Look at the checkbox labeled "password never expires" , it should be checked. What You Can Do Is Uncheck It.
Tthe 'user must change password at next logon' box is unchecked. If you put a check in this box of course,
when you shut down the system will prompt for a new password!
I belive that there is a way to FIX this hole by right clicking on any account ans usind the menu below.
[set password...]
[all tasks]
[delete]
[rename]
[properties]
[help]
I'm not to sure how you can use the abov menu to disable the editing of an account but if there are any ideas then i would love to know.
-
September 8th, 2003, 11:28 PM
#2
I am not sure what you are talking about here... you need to be an administrative user to alter user settings like this, in which case you can simply reset the user's password.
Even if you tell the password to expire (which _should_ be set in your security policy) and force the user to change at next logon, it will not prompt you when you shutdown the system, it will prompt the user in question after their next successful logon. (meaning they need to know the current password)
Admin users will always have the ability to administer the accounts (funny how that works) since that is a primary aspect of the Admin's role. Operators and Security Operators do different things, but handling user settings is always an Admin job.
So, again I am not sure what you are talking about, I see no hole. In fact using the Admin to change the user password still won't recover EFSed files for you, so that isn't even an issue where there is a hole that the Admin can abuse.
catch
-
September 8th, 2003, 11:36 PM
#3
i belive thats why you run compmgmt.msc b. and >>click on local
-
September 8th, 2003, 11:39 PM
#4
To slightly add to what catch has said:
If you cannot trust people with admin/superuser/security passwords, why employ them and allow them access
cheers
-
September 8th, 2003, 11:59 PM
#5
Then how about DOS>>"NET USER ADMIN ********", if i run the prompr before logging on under ADMIN i will still be able to change the damin password.
-
September 9th, 2003, 12:05 AM
#6
Then how about DOS>>"NET USER ADMIN ********", if i run the prompr before logging on under ADMIN i will still be able to change the damin password.
First things first, no memeber of the NT line has MS-DOS on it. They do have text command lines that _look_ similar to DOS, but there is no DOS.
Second, the only way you can force a user to change their password is as an administrative user, are you doing this from the Admin account? Have your added your user to the Admins group?
There is no hole in this situation besides perhaps an awful configuration on your system.
catch
-
September 9th, 2003, 12:15 AM
#7
but still you can change the pass through he PROMPT with netuser and that doesn't need Admin access
-
September 9th, 2003, 12:22 AM
#8
but still you can change the pass through he PROMPT with netuser and that doesn't need Admin access
Only if you are running as an Admin level user!
catch
-
September 9th, 2003, 12:30 AM
#9
Only if you are running as an Admin level user!
Absolutely correct. If you don't have admin privledges... you'll get a big fat "access denied".
Szafran: Try your technique with an account that doesn't have admin privledges... you'll see that it won't work.
-
September 9th, 2003, 12:36 AM
#10
well i quit, maybe you just don't understand me, your probably right, i was just trying to make sure, and i'll leave it at that.
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|