Bypassing Windows 2000 Domain Password settings

From: Gino Genari (mail226518@pop.net)
Date: 05/01/02


From: "Gino Genari" <mail226518@pop.net>
To: <focus-ms@securityfocus.com>
Date: Tue, 30 Apr 2002 18:45:34 -0400

I am trying to confirm what I read in the bugrtraq article 4256
http://online.securityfocus.com/bid/4256

and that a fix is not available for this yet, I tended to read this article
as limited to the password age.

Here is the problem, policy (GPO) is set to remember X number of passwords
with a minimum and maximum password age, and the password has a minimum
length set to X.

These settings have been confirmed using FAZAM 2000, and the Security
Configuration analyzer snap-in.

Yet the user can press CTRL+ALT+DELETE, change password, then proceed to
change the password to anything (even blank) bypassing all the security
settings specified above.

The Windows 2000 domain is running in native mode, but the user ID's were
migrated from an NT4 domain using the ADMT.

All other settings from the GPO are working correctly.

Gino