Re: bad logon attempts against the Unlock dialog box don't count
From: JuanMedia (juanmedia_at_eresmas.com)
Date: 05/29/04
- Next message: bobp: "Unknown password"
- Previous message: Jason Wilcox: "Configure Secure Screen Saver En Masse"
- In reply to: Umit AKKUS [MSFT]: "Re: bad logon attempts against the Unlock dialog box don't count"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 28 May 2004 15:11:05 -0700
Hi all,
thankyou Umit for your interest, here is the complete procedure taken from my notes:
1.- Install a W2K Server, all default settings.
2.- Once installed, login as administrator and start Active Directory Wizard.
3.- Select "Domain Controler", "Create New domain tree", "Create new forest of domains trees", DNS: "blas.com", previous windows version domain name: "BLAS", default location for database & sysvol, DNS is not configured. Would you...?: No I will configure it by my self. Permisions compatible with prewindows 2k servers, "wizard is configuring...etc", Finish (user administrator password typed somewhere in the process, I can't remember exactly where). Ok, so, let's reboot!
4.- Now we have our AD, we create a user. Start->Programs->AdministrativeTools->ActiveDir Users and computers. Folder Users -> New user, I named her "secondadmin", once correctly created we asign administrative rights, adding her to "Administrators" group. This last step is necesary because the "Only administrator users can login..." security policy (see below).
5.- Let's go now with the security account policy. Ok, Start->Programs->Admin Tools->Domain Security Policy, Security Settings ->AccountLockoutPolicy->AcountLockThreshold = 3.
6.- Logoff from the administrator session.
7.- Login as "secondadmin". This is the reason for the extra step in point 4.
8.- Lock the computer.
9.- Type incorrect passwords: one, two, three times... and... weheeee! "Your account is disabled" message box appeard. Ok, ok, I'm not happy about this, but I was worried since you answered, because I would have post a wrong message in a MS group... ;-D
10.- So, now, we have our domain controler locked, but we have the administrator username and password, so we unlock the computer and we login as the administrator (our "secondadmin" user is still locked).
11.- Start->Progrms->AdminTools->Users and Comp. Folder Users, secondadmin... and yes, "Account locked out" is checked.
Here it is.
Ok, ok, but this is not a very good test, because we have done this from the AD controler. Let's do it from another wksta joined to our new "blas.com" domain.
12.- We join a W2kProf named "littleblas" to the domain (right click on "my computer", "properties", new domain "BLAS", restart).
13.- Once littleblas is here again, we login as "secondadmin". I have unchecked previously the "account locked" checkbox in the domain controler.
14.- We are logged in, so, we lock the computer. Let's see.
15.- Ok, ok, here we go... crtl+alt+del..., one, two..., two and a half..., and three! Yes, the message is again here! The account is locked. Ok, lets come back to the ADControler... Yes. Yes. The "account locked" checkbox is again checked.
And, yes. I repeat. I agree that this should be the correct behaviour, because if not, I can try another user password, and try, try, try, until I will get the correct one. I think this is the sense of the "account lock threshold" policy, that if a user password is tried X times, the user account will be locked, and so, the attacker will not have the posibility to continue gessing. So, from a security point of view, it's prefectly correct! But then, what is that note about? Am I doing something wrong?
Ok, just now I have tried from a XP joined to the "BLAS" domain, again with secondadmin user, and the user account it has been locked.
I'm sorry Umit, I don't have a Windows 2003 to test with. Could be a behaviour only for 2003 AD servers?
Thankyou very much.
----- Umit AKKUS [MSFT] wrote: -----
Are you trying to unlock the machine with a different user than who has
locked the machine? If so, then the behavior is expected. Otherwise I'm
unable to reproduce the problem (on XP in WS03 domain) you're talking about
below. Can you please send precise steps to reproduce the problem?
Thanks
--
This posting is provided "AS IS" with no warranties, and confers no rights.
Umit AKKUS [MSFT]
"JuanMedia" <juanmedia@eresmas.com> wrote in message
news:15F8CB59-CF39-4474-A3E1-CA4EDA5FCA6A@microsoft.com...
> Hi all,
> I have a quite weird question to ask about the lock user lockout account
> threshold. We have found in the Windows NT, 2K and XP documentation at the
> Technet; and also at the msdn websites, this note:
> "Note: Bad logon attempts to a workstation against a password-protected
> screen saver don't increase the lockout threshold. Similarly, if you lock
> a server or workstation using Ctrl+Alt+Delete, bad logon attempts against
> the Unlock dialog box don't count."
> ...but, oh surprise!, we have tested this against three diferent domains
> (including an old WNT), and the behaviour is exactly the oposite, all
> failed password attempts count as failed logon. In my opinion this is the
> correct way to do the unlocking of a workstation, because if not, it would
> be a higly security risk for the users passwords, obiously. The curious
> thing is that we have found the above note in several places, but we are
> not capable of reproduce that behaviour. In all of our tests we allways
> get the user acount locked.
> Do you know if this is a documentation "mistake"?
> If don't, does someone know how to configure the AD or users workstations,
> to achieve the behaviour the above note says?
>> The note above is at the Technet here (for XP):
> http://www.microsoft.com/technet/prodtechnol/windows2000serv/deploy/confeat/08w2kada.mspx
> The msdn note is here:
> http://msdn.microsoft.com/library/default.asp?url=/library/en-us/gp/507.asp
>> Thankyou very much.
- Next message: bobp: "Unknown password"
- Previous message: Jason Wilcox: "Configure Secure Screen Saver En Masse"
- In reply to: Umit AKKUS [MSFT]: "Re: bad logon attempts against the Unlock dialog box don't count"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
