PaulDotCom mailing list archives

Interesting finding on locked accounts in ADS

From: lyematt at gmail.com (Matt Lye)
Date: Mon, 5 Oct 2009 11:19:58 +1000

In regard to local access it would be the normal access rights the user had
on the local machine, unless there was a change in group policy that
restricted that based on the access to ADS to authenticate actions.

Interesting find, but I'm not sure how you would avoid that without alot of
pain.

-Matthew Lye

You can do anything you set your mind to when you have vision,
determination, and and endless supply of expendable labor.
<No tree's were harmed during this transmission. However, a great number of
electrons were terribly inconvenienced>


On Mon, Oct 5, 2009 at 11:00 AM, Jody & Jennifer McCluggage <
j2mccluggage at adelphia.net> wrote:

 If using cached credentials (e.g. offline) the account lockout does not
go into effect.  You still need the correct username and password.  I don?t
know if there is a way to change this behavior. I believe some of the newer
versions of Windows also implement varying length of delays after so many
failed attempts.



I believe that is by design (rightly or wrongly).  The thinking is that if
the boss takes his notebook home with him, you may not want him to be able
to accidently lock himself out of his machine.  Depending upon the policy in
place that lock-out could last until the administrator unlocks it and of
course the administrator is not available offline (I always thought that
permanent lock out was a bit extreme. 5 - 15 minute lock out is usually
sufficient under most circumstances to defeat a brute-force attack and does
not require an administrator to unlock.)


 ------------------------------

*From:* pauldotcom-bounces at mail.pauldotcom.com [mailto:
pauldotcom-bounces at mail.pauldotcom.com] *On Behalf Of *Adrian Crenshaw
*Sent:* Sunday, October 04, 2009 1:28 PM
*To:* PaulDotCom Security Weekly Mailing List
*Subject:* [Pauldotcom] Interesting finding on locked accounts in ADS



I just found out something interesting by accident. It seems that if an
account is logged in to a box, but the box is locked, you can not unlock it
with a locked account (too many bad password attempts I think). However, if
you pull the network connection so it has to use cached credentials it will
let you right in, then you can reconnect the network cable. I'm not sure if
it would work if the user was logged out, but if someone could test and let
us know that would be cool. Seems like an interesting oversight.

Adrian

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.409 / Virus Database: 270.14.3/2413 - Release Date: 10/04/09
06:20:00

_______________________________________________
Pauldotcom mailing list
Pauldotcom at mail.pauldotcom.com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091005/816f7b52/attachment.htm

Current thread:

Interesting finding on locked accounts in ADS Adrian Crenshaw (Oct 04)
- Interesting finding on locked accounts in ADS Jim Halfpenny (Oct 04)
- Interesting finding on locked accounts in ADS Jody & Jennifer McCluggage (Oct 04)
  - Interesting finding on locked accounts in ADS Matt Lye (Oct 04)
    - Webcast Nils (Oct 05)
    - Webcast Robin Wood (Oct 05)
- Interesting finding on locked accounts in ADS Vincent Lape (Oct 05)
- Interesting finding on locked accounts in ADS Butturini, Russell (Oct 05)