PaulDotCom mailing list archives
Interesting finding on locked accounts in ADS
From: lyematt at gmail.com (Matt Lye)
Date: Mon, 5 Oct 2009 11:19:58 +1000
In regard to local access it would be the normal access rights the user had on the local machine, unless there was a change in group policy that restricted that based on the access to ADS to authenticate actions. Interesting find, but I'm not sure how you would avoid that without alot of pain. -Matthew Lye You can do anything you set your mind to when you have vision, determination, and and endless supply of expendable labor. <No tree's were harmed during this transmission. However, a great number of electrons were terribly inconvenienced> On Mon, Oct 5, 2009 at 11:00 AM, Jody & Jennifer McCluggage < j2mccluggage at adelphia.net> wrote:
If using cached credentials (e.g. offline) the account lockout does not go into effect. You still need the correct username and password. I don?t know if there is a way to change this behavior. I believe some of the newer versions of Windows also implement varying length of delays after so many failed attempts. I believe that is by design (rightly or wrongly). The thinking is that if the boss takes his notebook home with him, you may not want him to be able to accidently lock himself out of his machine. Depending upon the policy in place that lock-out could last until the administrator unlocks it and of course the administrator is not available offline (I always thought that permanent lock out was a bit extreme. 5 - 15 minute lock out is usually sufficient under most circumstances to defeat a brute-force attack and does not require an administrator to unlock.) ------------------------------ *From:* pauldotcom-bounces at mail.pauldotcom.com [mailto: pauldotcom-bounces at mail.pauldotcom.com] *On Behalf Of *Adrian Crenshaw *Sent:* Sunday, October 04, 2009 1:28 PM *To:* PaulDotCom Security Weekly Mailing List *Subject:* [Pauldotcom] Interesting finding on locked accounts in ADS I just found out something interesting by accident. It seems that if an account is logged in to a box, but the box is locked, you can not unlock it with a locked account (too many bad password attempts I think). However, if you pull the network connection so it has to use cached credentials it will let you right in, then you can reconnect the network cable. I'm not sure if it would work if the user was logged out, but if someone could test and let us know that would be cool. Seems like an interesting oversight. Adrian No virus found in this incoming message. Checked by AVG - www.avg.com Version: 8.5.409 / Virus Database: 270.14.3/2413 - Release Date: 10/04/09 06:20:00 _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091005/816f7b52/attachment.htm
Current thread:
- Interesting finding on locked accounts in ADS Adrian Crenshaw (Oct 04)
- Interesting finding on locked accounts in ADS Jim Halfpenny (Oct 04)
- Interesting finding on locked accounts in ADS Jody & Jennifer McCluggage (Oct 04)
- Interesting finding on locked accounts in ADS Vincent Lape (Oct 05)
- Interesting finding on locked accounts in ADS Butturini, Russell (Oct 05)