Passprop pitfalls - Was: Trace of 139 attack?
From: Windex King (WindexKing@mor-lan-d.com)Date: 07/29/01
- Previous message: Rubens Altimari: "Re: Post-Windows NT 4.0 Service Pack 6a Security Rollup"
- In reply to: H C: "Re: FW: Trace of 139 attack?"
- Next in thread: Stephen Pinto: "FW: Trace of 139 attack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Message-ID: <3B64473C.FBEA3CED@mor-lan-d.com> Date: Sun, 29 Jul 2001 13:26:20 -0400 From: Windex King <WindexKing@mor-lan-d.com> To: H C <keydet89@yahoo.com> Subject: Passprop pitfalls - Was: Trace of 139 attack?
H C wrote:
--snip--
>
> So then the question is...will it allow interactive
> login lockouts for standalone servers and
> workstations?
--snip--
No. passprop works the same way on Workstations and
Standalone servers as it does on Domain Controllers
(for NT 4.0, I'm not sure about W2K)
That is the "administrator" account can be locked out if:
1. account lockout is enabled for the system
2. the thresholds specified in #1 are triggered [Note 1]
for the "administrator" account [Note 2]
Note 1: You will only trigger the account lockout thresholds
via Type 3 logons (see reply to Thor below)
Note 2: Passprop works for the account with RID 500. So even
if you renamed your administrator account, passprop
will allow it to be locked out if the aforementioned
conditions are met.
Thor@HammerofGod.com wrote:
>
> Just to be clear for all of the faithful readers
> out there, passprop.exe can be used to lockout the
> administrator account over network connections, but
> not for interactive logons.
>
> AD
As owentoby@WellsFargo.COM pointed out in a later post
AD's comment is "half true".
One must remember that we're talking about NT's interpretation
of a network logon as opposed to any logon via the network.
Let me explain. If I map a drive to a server it's a Type
3 logon to the remote machine which NT considers a network
logon.
If I logon to a remote NT box via an OpenSSH daemon it's
a Type 2 Advapi logon which is seen as a a *LOCAL* logon by
NT and subsequently by passprop.
Here are some other logons that are deemed local even though
they happen via the network (this is not an exhaustive list!)
- logons via Terminal Server (per owentoby's earlier comment)
- logons via WinVNC
- logons via PC Anywhere
- logons via FTP daemons
- logons via Basic Auth over HTTP (credit to thor@hammerofgod.com)
- etc.
So, when using passprop one must remember to put extra controls
on the access paths which allow "local" logon ability via the
network since failure to do makes passprop much less effective.
W K
- Previous message: Rubens Altimari: "Re: Post-Windows NT 4.0 Service Pack 6a Security Rollup"
- In reply to: H C: "Re: FW: Trace of 139 attack?"
- Next in thread: Stephen Pinto: "FW: Trace of 139 attack?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
