Password Change Utility

[sfling]

Our company is looking into the possibility of
implementing a program on our Windows 2003 domain that
would enable the end user to reset their password and
renable their account if locked out. They will be asked a
few personal questions then the program will change their
password and display a 128 bit encrypted web page
displaying their password. I am not personally in
favor of this application running on the network and I am
looking for any suggestions that I may need to look out
for. Any suggestions???

 

[Steven L Umbach]

I don't like the idea either as you will have to have a "database" of their passwords
stored somewhere as passwords are not stored in Active Directory - their hashes are
which can possibly be recovered by a program like LC5 but that could take a long time
if lm hash storage is disabled and the user has a password like " 77Yy!@--bb£)) ". I
would reconsider your lockout policy. Microsoft recommends that you use a lockout
threshold of no less than ten and to implement complex passwords. If you do such and
have a lockout time period of ten minutes, you can eliminate most administrator
intervention in reactivating an account and still effectively deter brute force
password attacks. If you implement a password lookup program, you end up with lazy
users. They just have to learn to be more careful in managing their passwords. The
link below is official Microsoft stuff on account lockout policy
ecommendations. --- Steve

http://www.microsoft.com/technet/Se...3/w2003hg/sgch02.mspx#XSLTsection123121120120

 

[Guest]

We do already have a lockout policy created... The
accounts do not even unlock after a specific time, our
service desk is required to unlock accounts. I am more
concerned with the idea of having an application
available to our users that asks them a few questions
then resets their accounts for them. I don't think the
program they are looking at using stores the passwords in
a table? It just seems to me like we would be opening a
huge gaping hole, I am just having a hard time revealing
it. Any recomendations would be greatly appreciated.

-----Original Message-----
I don't like the idea either as you will have to have

a "database" of their passwords

stored somewhere as passwords are not stored in Active Directory - their hashes are
which can possibly be recovered by a program like LC5

but that could take a long time

if lm hash storage is disabled and the user has a

password like " 77Yy!@--bb£)) ". I

would reconsider your lockout policy. Microsoft

recommends that you use a lockout

 

[Steven L Umbach]

I agree with you. I suggest that they consider that you look at Microsoft
Recommendations in the link I provided and consider having the accounts reset
themselves after a short period of time so as not to involve the service desk all the
time. If your account lockout threshold is less then ten then it is too low. Raising
it will decrease the amount of lockouts yet still protect from password attacks,
particularly if you enforce complex passwords. In addition you can enable auditing of
account management on your domain controllers to see when accounts have been locked
out by viewing the security log of your pdc fsmo for Event ID 642. That way you still
will know when a domain account has been locked out and for what user. --- Steve


We do already have a lockout policy created... The
accounts do not even unlock after a specific time, our
service desk is required to unlock accounts. I am more
concerned with the idea of having an application
available to our users that asks them a few questions
then resets their accounts for them. I don't think the
program they are looking at using stores the passwords in
a table? It just seems to me like we would be opening a
huge gaping hole, I am just having a hard time revealing
it. Any recomendations would be greatly appreciated.

-----Original Message-----
I don't like the idea either as you will have to have

a "database" of their passwords

stored somewhere as passwords are not stored in Active Directory - their hashes are
which can possibly be recovered by a program like LC5

but that could take a long time

if lm hash storage is disabled and the user has a

password like " 77Yy!@--bb£)) ". I

would reconsider your lockout policy. Microsoft

recommends that you use a lockout

 

[Br0wnbear]

I agree with you. I suggest that they consider that you look at Microsoft
Recommendations in the link I provided and consider having the accounts reset
themselves after a short period of time so as not to involve the service desk all the
time. If your account lockout threshold is less then ten then it is too low. Raising
it will decrease the amount of lockouts yet still protect from password attacks,
particularly if you enforce complex passwords. In addition you can enable auditing of
account management on your domain controllers to see when accounts have been locked
out by viewing the security log of your pdc fsmo for Event ID 642. That way you still
will know when a domain account has been locked out and for what user. --- Steve


We do already have a lockout policy created... The
accounts do not even unlock after a specific time, our
service desk is required to unlock accounts. I am more
concerned with the idea of having an application
available to our users that asks them a few questions
then resets their accounts for them. I don't think the
program they are looking at using stores the passwords in
a table? It just seems to me like we would be opening a
huge gaping hole, I am just having a hard time revealing
it. Any recomendations would be greatly appreciated.



a "database" of their passwords
but that could take a long time
password like " 77Yy!@--bb£)) ". I
recommends that you use a lockout

A simpler theory. If they can't remember their passwords how are they
going to remember the answers to three questions?


hth
John Brown
"Bears have more fun, we hibern8 alot"