RE: UF_PASSWD_NOTREQD user account flag

From: dave kleiman (dave_at_isecureu.com)
Date: 03/16/05

  • Next message: Wozny, Scott (US - New York): "RE: UF_PASSWD_NOTREQD user account flag"
    To: "'Petr Merta'" <pmerta@lynguent.com>, <focus-ms@securityfocus.com>
    Date: Wed, 16 Mar 2005 13:43:58 -0500
    
    

    Petr,

    > can anybody here explain the real meaning of
    > UF_PASSWD_NOTREQD flag of Windows user account?

    It means password not required, or from the GUI's setting your minimum
    password length to "0".

    I've found
    > bunch of user accounts in W2K domain with this flag set; when
    > I've tried to perform interactive or network logon with them,
    > it failed.

    You can still have that flag set, yet have other policies/security options
    that require accounts to have passwords to be able to log in i.e. the
    setting "Limit local account use of blank password to console" and remember
    by default most remote (TS, RDP, Remote Registry, Telnet) services require
    passwords.

     I've found no descriptive documentation besides of
    > vague "password not required" statement. My questions are:
    > -- what's the actual meaning of this flag?

    It really really means no password required, it does not mean that some
    other policy setting might not override it.

    > -- are there some circumstances under which it is possible to
    > logon to account with this flag set (without password)?

    Yes it is possible. Local on a box if the security policy allows it or
    turning off the no blank password requirement of some service etc.

    >
    > Thanks for any info and/or reference.
    >

    Dave Kleiman

    www.SecurityBreachResponse.com www.ComputerForensicInvestigations.com

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: Wozny, Scott (US - New York): "RE: UF_PASSWD_NOTREQD user account flag"