Results 1 to 10 of 10

Thread: Password Change Hole

  1. #1

    Password Change Hole

    a. ok now, what you need to do is to:
    >> run compmgmt.msc b. and >>click on local
    >> users and groups.
    >> Open 'users' folder.
    >> Double Click On the user of your choice

    The Form Should Have:
    <Label> "user name"

    full name: <textbox>

    description: <Textbox>

    <Checkbox> user must change password at next logon

    <Checkbox> user cannot change password

    <Checkbox>(Checked) password never expires

    <Checkbox> account is disabled

    <Checkbox> account is locked out

    <3 Buttons>"ok" "cancel" "apply"

    Look at the checkbox labeled "password never expires" , it should be checked. What You Can Do Is Uncheck It.

    Tthe 'user must change password at next logon' box is unchecked. If you put a check in this box of course,
    when you shut down the system will prompt for a new password!

    I belive that there is a way to FIX this hole by right clicking on any account ans usind the menu below.
    [set password...]
    [all tasks]
    [delete]
    [rename]
    [properties]
    [help]

    I'm not to sure how you can use the abov menu to disable the editing of an account but if there are any ideas then i would love to know.

  2. #2
    Banned
    Join Date
    May 2003
    Posts
    1,004
    I am not sure what you are talking about here... you need to be an administrative user to alter user settings like this, in which case you can simply reset the user's password.

    Even if you tell the password to expire (which _should_ be set in your security policy) and force the user to change at next logon, it will not prompt you when you shutdown the system, it will prompt the user in question after their next successful logon. (meaning they need to know the current password)

    Admin users will always have the ability to administer the accounts (funny how that works) since that is a primary aspect of the Admin's role. Operators and Security Operators do different things, but handling user settings is always an Admin job.

    So, again I am not sure what you are talking about, I see no hole. In fact using the Admin to change the user password still won't recover EFSed files for you, so that isn't even an issue where there is a hole that the Admin can abuse.

    catch

  3. #3
    i belive thats why you run compmgmt.msc b. and >>click on local

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    To slightly add to what catch has said:

    If you cannot trust people with admin/superuser/security passwords, why employ them and allow them access

    cheers

  5. #5
    Then how about DOS>>"NET USER ADMIN ********", if i run the prompr before logging on under ADMIN i will still be able to change the damin password.

  6. #6
    Banned
    Join Date
    May 2003
    Posts
    1,004
    Then how about DOS>>"NET USER ADMIN ********", if i run the prompr before logging on under ADMIN i will still be able to change the damin password.
    First things first, no memeber of the NT line has MS-DOS on it. They do have text command lines that _look_ similar to DOS, but there is no DOS.

    Second, the only way you can force a user to change their password is as an administrative user, are you doing this from the Admin account? Have your added your user to the Admins group?

    There is no hole in this situation besides perhaps an awful configuration on your system.

    catch

  7. #7
    but still you can change the pass through he PROMPT with netuser and that doesn't need Admin access

  8. #8
    Banned
    Join Date
    May 2003
    Posts
    1,004
    but still you can change the pass through he PROMPT with netuser and that doesn't need Admin access
    Only if you are running as an Admin level user!

    catch

  9. #9
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Only if you are running as an Admin level user!
    Absolutely correct. If you don't have admin privledges... you'll get a big fat "access denied".

    Szafran: Try your technique with an account that doesn't have admin privledges... you'll see that it won't work.

  10. #10
    well i quit, maybe you just don't understand me, your probably right, i was just trying to make sure, and i'll leave it at that.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •