Re: SP4 and n-2 password protection?

From: Dean Wells (dwells_at_mask.msetechnology.com)
Date: 06/30/03 

Date: Sun, 29 Jun 2003 22:15:15 -0500

I suggested that the cache be bound to a user and the requesting IP
address, maintain only a volatile cache (in memory) per DC for a
configurable period of time (suggested 30 seconds as this feature mostly
serves to mitigate automatic authentication attempts from mis-behaving
applications with a cached password). This approach also removes the
minor attack-exposure increase that the n-2 mechanism provides.

I'll look into the hot fix designation, I researched my docs. on the
feature but I'm afraid none of them elude to anything specific. I'll
post back if I manage to dig anything up.

Dean 

-- 
Dean Wells [MVP / Windows platform]
MSEtechnology
dwells@msetechnology.com
[[ Please respond to the Newsgroup only ]]
"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:ewMKMikPDHA.304@tk2msftngp13.phx.gbl...
> So that means they should have at least two requests like that on top
of me spouting it in the newsgroups multiple times
> and telling Alliance Premier and telling MCS. :o)
>
> I can understand where it could get resource intensive say maintaining
the cache, but maybe have a quick turnaround on
> the cache timeout.
>
> Hey Dean do you know if N-2 has a hot fix designation number?
>
> -- 
> Joe Richards
> www.joeware.net
>
> --
>
> "Dean Wells" <dwells@mask.msetechnology.com> wrote in message
news:umK1StjPDHA.1380@TK2MSFTNGP11.phx.gbl...
> > Interesting comment Joe, I submitted the exact same feature request
to
> > WinSE a couple of months ago as a suggested replacement to the
current
> > n-2 mechanism.
> >
> > Dean
> >
> > -- 
> > Dean Wells [MVP / Windows platform]
> > MSEtechnology
> > dwells@msetechnology.com
> > [[ Please respond to the Newsgroup only ]]
> >
> >
> > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
> > news:ujE0YxePDHA.2160@TK2MSFTNGP11.phx.gbl...
> > > Ah yes, that is supposed to be in there, I forgot about that one.
I
> > agree if it made it in it should be documented in
> > > the list of changes.
> > >
> > > Good fix, personally I would also like to see a fix where if the
same
> > password is being sent over and over again even if
> > > it isn't one of the last two it won't lock the account. Obviously
if
> > the same password is constantly being sent, it
> > > isn't a hack attempt which lockouts are in place to prevent.
> > >
> > > -- 
> > > Joe Richards
> > > www.joeware.net
> > >
> > > --
> > >
> > > "Scott" <spauseREMOVETHIS@excite.com> wrote in message
> > news:018201c33db2$19e46f60$a301280a@phx.gbl...
> > > > There was some ammount of advertising earlier this year
> > > > regarding a new capability coming with SP4 and Windows
> > > > 2003 called N-2 password protection.  It was designed to
> > > > protect accounts from being locked out from there last
> > > > two valid passwords.
> > > >
> > > > This is a critical feature that my company desperately
> > > > needs.   There is ZERO documentation regarding the
> > > > inclusion of this and other related fixes in SP4.
> > > >
> > > > Could someone at MS please assist with tracking this
> > > > down?  It would also be highly advised to post this
> > > > information in the SP4 Readme if it is included as this
> > > > changes account lockout behavior and could be unexpected.
> > >
> > >
> >
> >
>
>