Re: SP4 and n-2 password protection?

From: Scott (spauseREMOVETHIS_at_excite.com)
Date: 06/30/03 

Date: Mon, 30 Jun 2003 11:27:50 -0700

I've tested this in my lab by upgrading both the (only)
DC from SP3 and a win2K server. I changed my password
normally (with a regular account) and then logged in
again typing in my old password several times. The
account was locked out.

Environ:
Win2k SP4 DC in Native mode with Exchange 2K
Win2K SP4 server (doing nothing)

It would appear that the fix isn't in SP4, unless there
is a reg entry. If someone has proof to the contrary,
please let us know.

>-----Original Message-----
>On Sat, 28 Jun 2003 13:16:04 -0700, Scott wrote
><018201c33db2$19e46f60$a301280a@phx.gbl>
>> There was some ammount of advertising earlier this
year
>> regarding a new capability coming with SP4 and Windows
>> 2003 called N-2 password protection. It was designed
to
>> protect accounts from being locked out from there last
>> two valid passwords.
>
>
>I believe Password History Check (N-2) and Single User
Object Replication
>are both rolled into
>http://support.microsoft.com/?scid=812499
>
>As such, both are enabled by default in Windows 2000
Server in an AD Domain
>running at SP4.
>
>
>> This is a critical feature that my company desperately
>> needs. There is ZERO documentation regarding the
>> inclusion of this and other related fixes in SP4.
>>
>> Could someone at MS please assist with tracking this
>> down? It would also be highly advised to post this
>> information in the SP4 Readme if it is included as
this
>> changes account lockout behavior and could be
unexpected.
>
>I agree this could be documented better. If MS has
implemented this
>correctly, Password History Check (N-2) really doesn't
weaken the security
>posture. The Win2k3 version is here.
>http://www.microsoft.com/technet/prodtechnol/windowsserve
r2003/maintain/operate/BPACTLCK.asp
>but Win2k SP4 documentation needs clarified.
>
>The bottom line for me is that applications with expired
passwords fail
>instead of locking out the account. Same with users.
When Sally uses last
>months password on a Monday morning, she's simply denied
access rather than
>locking herself out. The unexpected change in SP4 may be
fewer lockouts. :)
>
>Or maybe I'm wrong and getting this documented for Win2k
is the better
>answer...
>
>Matt Scarborough 2003-06-30
>.
>

Relevant Pages

  • Re: Windows 2000 Administrator lockout
    ... requires an account may not work ... ... Log into the server and schedule the command "cmd.exe" to be run 3 ... appointed time you'll be presented with a command prompt with the ... can execute "usrmgr.exe" for NT4 systems or an mmc for win2k. ...
    (Security-Basics)
  • Re: No desktop after login! Uh oh.
    ... A guess would be that some of that corrupted stuff you had to remove was also linked to some necessary system files. ... You'll need to re-install SP4 after either of those two actions. ... Now when the server reboots and you log in with the admin account you don't get a desktop. ...
    (microsoft.public.win2000.windows_update)
  • Windows 2000 passwords
    ... I'm running Win2K with SP4, ... The server is not in a domain, ... I don't believe this is a bug with sp4 as this problem has ... >everyone and Authenticated users have the rights to ...
    (microsoft.public.win2000.security)
  • RE: Hacked NT/2K box
    ... > Win2k boxes hitched into ... > supposed to server between 1-2 million pages. ... obtain an "NT/Exchange account". ... The cracker had emailed and persuaded the ...
    (Focus-Microsoft)
  • Windows 2000 passwords
    ... Win2k with SP4. ... I've checked the DC group policy and the ... >I have a Win2K TS server. ...
    (microsoft.public.win2000.security)