Re: SP4 and n-2 password protection?
From: Dean Wells (dwells_at_mask.msetechnology.com)
Date: 06/30/03
- Next message: Keith W. McCammon: "Re: Win 2k Pro"
- Previous message: Dave Makin: "Persistent spamming in the name of Microsoft"
- In reply to: Matt Scarborough: "Re: SP4 and n-2 password protection?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 30 Jun 2003 07:30:41 -0500
Great link Matt ... thanks!
One comment, you mentioned that the n-2 mechanism doesn't really
increase the surface attack area. I agree with you to an extent but it
does expose a user's previous two passwords (even to the UI) in that
when using some form of a brute force attack (at least online), with
little modification it is now perfectly feasible to deduce not only the
current password but the previous two passwords. In addition, either of
these passwords may well persist as the effective password on DC's that
have not yet received the update through replication, DC's that have
been taken offline, DC's that have been restored to a previous state and
are currently out of replication reach or other non-related services
such as a password to an online banking site (social engineering has
proven that individuals tend to re-use the same password across a
variety of secured systems).
As I said, the increase is nominal but, IMHO, any increase is a bad
thing especially when alternative mechanisms are available. The effect
of this feature addition is most certainly a positive one but I feel the
alternative approaches would have served us a little better.
Dean
-- Dean Wells [MVP / Windows platform] MSEtechnology dwells@msetechnology.com [[ Please respond to the Newsgroup only ]] "Matt Scarborough" <vexversa@verizon.net> wrote in message news:onivfvc62ng6efv1p8m19aghn461ta0o3b@msnews.microsoft.com... > On Sat, 28 Jun 2003 13:16:04 -0700, Scott wrote > <018201c33db2$19e46f60$a301280a@phx.gbl> > > There was some ammount of advertising earlier this year > > regarding a new capability coming with SP4 and Windows > > 2003 called N-2 password protection. It was designed to > > protect accounts from being locked out from there last > > two valid passwords. > > > I believe Password History Check (N-2) and Single User Object Replication > are both rolled into > http://support.microsoft.com/?scid=812499 > > As such, both are enabled by default in Windows 2000 Server in an AD Domain > running at SP4. > > > > This is a critical feature that my company desperately > > needs. There is ZERO documentation regarding the > > inclusion of this and other related fixes in SP4. > > > > Could someone at MS please assist with tracking this > > down? It would also be highly advised to post this > > information in the SP4 Readme if it is included as this > > changes account lockout behavior and could be unexpected. > > I agree this could be documented better. If MS has implemented this > correctly, Password History Check (N-2) really doesn't weaken the security > posture. The Win2k3 version is here. > http://www.microsoft.com/technet/prodtechnol/windowsserver2003/maintain/operate/BPACTLCK.asp > but Win2k SP4 documentation needs clarified. > > The bottom line for me is that applications with expired passwords fail > instead of locking out the account. Same with users. When Sally uses last > months password on a Monday morning, she's simply denied access rather than > locking herself out. The unexpected change in SP4 may be fewer lockouts. :) > > Or maybe I'm wrong and getting this documented for Win2k is the better > answer... > > Matt Scarborough 2003-06-30
- Next message: Keith W. McCammon: "Re: Win 2k Pro"
- Previous message: Dave Makin: "Persistent spamming in the name of Microsoft"
- In reply to: Matt Scarborough: "Re: SP4 and n-2 password protection?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
