PaulDotCom mailing list archives

Interesting finding on locked accounts in ADS

From: j2mccluggage at adelphia.net (Jody & Jennifer McCluggage)
Date: Sun, 4 Oct 2009 21:00:05 -0400

If using cached credentials (e.g. offline) the account lockout does not go
into effect.  You still need the correct username and password.  I don't
know if there is a way to change this behavior. I believe some of the newer
versions of Windows also implement varying length of delays after so many
failed attempts. 

 

I believe that is by design (rightly or wrongly).  The thinking is that if
the boss takes his notebook home with him, you may not want him to be able
to accidently lock himself out of his machine.  Depending upon the policy in
place that lock-out could last until the administrator unlocks it and of
course the administrator is not available offline (I always thought that
permanent lock out was a bit extreme. 5 - 15 minute lock out is usually
sufficient under most circumstances to defeat a brute-force attack and does
not require an administrator to unlock.) 

 

  _____  

From: pauldotcom-bounces at mail.pauldotcom.com
[mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf Of Adrian Crenshaw
Sent: Sunday, October 04, 2009 1:28 PM
To: PaulDotCom Security Weekly Mailing List
Subject: [Pauldotcom] Interesting finding on locked accounts in ADS

 

I just found out something interesting by accident. It seems that if an
account is logged in to a box, but the box is locked, you can not unlock it
with a locked account (too many bad password attempts I think). However, if
you pull the network connection so it has to use cached credentials it will
let you right in, then you can reconnect the network cable. I'm not sure if
it would work if the user was logged out, but if someone could test and let
us know that would be cool. Seems like an interesting oversight.

Adrian

No virus found in this incoming message.
Checked by AVG - www.avg.com
Version: 8.5.409 / Virus Database: 270.14.3/2413 - Release Date: 10/04/09
06:20:00

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20091004/893f2ba6/attachment.htm

Current thread:

Interesting finding on locked accounts in ADS Adrian Crenshaw (Oct 04)
- Interesting finding on locked accounts in ADS Jim Halfpenny (Oct 04)
- Interesting finding on locked accounts in ADS Jody & Jennifer McCluggage (Oct 04)
  - Interesting finding on locked accounts in ADS Matt Lye (Oct 04)
    - Webcast Nils (Oct 05)
    - Webcast Robin Wood (Oct 05)
- Interesting finding on locked accounts in ADS Vincent Lape (Oct 05)
- Interesting finding on locked accounts in ADS Butturini, Russell (Oct 05)