SEC: UNCLASSIFIED --- Some Passwords on 2K Member Servers not wor king???

From: Vidler, Christopher MR (Christopher.Vidler_at_DEFENCE.GOV.AU)
Date: 10/15/03

  • Next message: Joe Dance: "Unannounced revisions to MS patches"
    Date:         Wed, 15 Oct 2003 10:39:38 +1000
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    Greeting all, I run an intranet server with restricted access (it holds our
    network diagrams), I have it set to use NT authentication, and create local
    accounts on the web server itself (2K Server SP3). The sever is a member of
    a NT4 domain, not that this should matter. Anyway back on track...

    When a new user is granted access I create them a local user account on the
    web server, add them to the appropriate groups, and generate a random
    password to start them off with (I've written an ASP/WMI tool to allow
    password changes via web pages). now I've come across this several times,
    but didn't think of it til today when I had an extra hard time with it.

    Sometimes the random passwords I generate (a small VB program I wrote, that
    also gives a phonetic alphabet output so 1's and I's or O's and 0's don't
    get messed) and paste into the password box do not work!!! Now since I'm
    cutting and pasting I'm sure there is no human error involved, but some
    passwords, not all, just won't let the users logon (I've tried and
    duplicated this effect with the example I'll give below), change the
    password to something else and bingo, the logon works. change the password
    back to the 'broken' password, and logons fail.

    I generate 8 character random passwords made up of upper and lower case
    letters and numbers, no punctuation of extended/Unicode characters, just
    stuff that can be easily typed on the keyboard.

    cCEatYoL
    hjkkM2HP
    RvquBdFS
    etc...

    Now for the vast majority of times this has worked flawlessly (the server
    now has in excess of 300 local accounts on it), Only 3 times in the past
    has it failed, and today it failed twice for the same account. i.e.. I
    created it with a 'bad' password, was informed by the user it wasn't
    working, and generated a new password which was also 'bad', but luckily
    third time worked.

    Today this is the bad password in question (only the 8 char password on the
    first line, not the phonetic spelling, is used):
    Password: nGJ63Y8g
                november GOLF JULIET SIX THREE YANKEE EIGHT golf

    I wasn't thinking in advance and didn't document the second bad password for
    this particular account, but the third (working) password is below. The
    user has now successfully logged on and changed his password.
    Password: Hupa1ZK3
                    HOTEL uniform papa alpha ONE ZULU KILO THREE

    (note that now neither of these passwords are in use)

    If someone else can try creating an account (unsure if it has to be a local
    account, or if it affects domain accounts too) with the first password
    above, and see if it works, let me know either way, as I want to know if it
    is just me/my server or something to do with the formation of the passwords.
    Maybe windows password hashing breaks down with certain inputs?!?

    I'll (from now) be keeping a record of passwords that don't work, and will
    endeavour to update this list with any findings.

    Thanks
    Mr. Chris Vidler
    Senior Network Performance Analyst
    Department of Defence
    Canberra, Australia

    ----
    NTBugtraq subscribers save $103.00 off the TICSA exam by using promo
    code "NT1003" when registering to take the TICSA exam at www.2test.com.
    Prove to your employer and peers that you have the knowledge and
    abilities to be an active stakeholder in today's enterprise security.
    Become TICSA certified www.trusecure.com/ticsa.  Promotion expires
    12/31/03 and cannot be used in combination with other offers.
    ----
    

  • Next message: Joe Dance: "Unannounced revisions to MS patches"

    Relevant Pages

    • Re: Re-Post - "the trust relationship between this workstation and the
      ... "the trust relationship between this workstation and the primary domain ... only problem is adding a new user account on the station. ... Client computer must use STRICTLY the INTERNAL DNS server which can ... Attr: subschemaSubentry ...
      (microsoft.public.windows.server.active_directory)
    • Re: Same question, still no answer!!!
      ... Sounds then like we are all paying for a feature set only large companies ... The "proxy server" pc is actually an older box stuffed ... Expectation #1) keep the ethernet more or less as is. ... The kids account would be ...
      (microsoft.public.windowsxp.basics)
    • Re: Re-Post - "the trust relationship between this workstation and the
      ... "the trust relationship between this workstation and the primary domain ... only problem is adding a new user account on the station. ... This would be on the DNS server 172.20.100.2 ... Attr: subschemaSubentry ...
      (microsoft.public.windows.server.active_directory)
    • Sending email to mydomain.com
      ... server will appear as undeliverable. ... This happens because you are using the POP3 connector... ... an NDR when an account doesn't exist). ... >different from the user account names for the exchange ...
      (microsoft.public.windows.server.sbs)
    • RE: SOME Users cannot access OWA others do, error HTTP 500
      ... I understand that some account access OWA ... IIS 6.0 compression corruption causes access violations ... compressed copy of the affected files on the SBS server: ...
      (microsoft.public.windows.server.sbs)