w2k AD security question

yannacci · Feb 22, 2004

All,

One of the programmers at my office wrote an application that querie
the AD for username and password info. To the best of my understandin
the user goes to a website, enters their login information, and th
information is checked against their AD user account. The securit
problem here is that it doesn't lock the user out after three invali
passwords. Am I missing something here? In my opinion, this seem
like a pretty serious security flaw. Thanks.

Ken
(e-mail address removed)

yannacc

Roland Hall · Feb 23, 2004

:
: One of the programmers at my office wrote an application that queries
: the AD for username and password info. To the best of my understanding
: the user goes to a website, enters their login information, and the
: information is checked against their AD user account. The security
: problem here is that it doesn't lock the user out after three invalid
: passwords. Am I missing something here? In my opinion, this seems
: like a pretty serious security flaw. Thanks.

If the script is only obtaining the information from AD and not trying to
authenticate, then the issue is with your developer. If the security
settings are used properly, then the request will be passed to AD and
returned and your policies will be enforced.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201

yannacci · Feb 23, 2004

Roland,

Thank you for your response. So it really isn't a security issue a
all then. If I am correct, all the AD is doing is giving a "yes or no
answer to the login information that is provided by the script instea
of requesting authentication to access resources etc. Would you agree
Thanks.

Ken

Roland said:
*"yannacci" wrote:
: One of the programmers at my office wrote an application tha
queries
: the AD for username and password info. To the best of m
understanding
: the user goes to a website, enters their login information, an
the
: information is checked against their AD user account. Th
security
: problem here is that it doesn't lock the user out after thre
invalid
: passwords. Am I missing something here? In my opinion, thi
seems
: like a pretty serious security flaw. Thanks.

If the script is only obtaining the information from AD and no
trying to
authenticate, then the issue is with your developer. If th
security
settings are used properly, then the request will be passed to A
and
returned and your policies will be enforced.

--
Roland Hall
/* This information is distributed in the hope that it will b
useful, but
without any warranty; without even the implied warranty o
merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://tinyurl.com/233aa
How-to: Windows 2000 DNS:
http://tinyurl.com/2w96b

-
yannacc

Roland Hall · Feb 23, 2004

:
: Thank you for your response. So it really isn't a security issue as
: all then. If I am correct, all the AD is doing is giving a "yes or no"
: answer to the login information that is provided by the script instead
: of requesting authentication to access resources etc. Would you agree?
: Thanks.

Without seeing the code, one would have to assume that is what is happening.
He might be grabbing the information from AD and then testing what the user
inputs himself. If so, he needs to write code to lock the account after so
many attempts, depending on your policy but the proper way to do it is to
just pass it to AD and let it handle it itself. In other words, take the
user's response and try to logon, capture the response and either allow the
user in if successful or deny and request an additional attempt. Once AD
responds that the account is locked out, he should then notify the user.

The easiest way is to just remove the anonymous user's logon and use only
authenticated logons. This way the developer is out of the loop altogether.
If the user can get to his app, then they have been authenticated. If not,
then they haven't and there is nothing for him to do either way.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201

yannacci · Feb 24, 2004

He is using a function in ColdFusion. I am not too familiar with this
package.

Ken

Roland Hall · Feb 25, 2004

:
: He is using a function in ColdFusion. I am not too familiar with this
: package.

I'm not either but in general terms, you can ask, is he making the
comparison or is the OS? If the OS is doing it, then there is an issue. If
he is doing it, then it's not complete and he is circumventing your
security.

--
Roland Hall
/* This information is distributed in the hope that it will be useful, but
without any warranty; without even the implied warranty of merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://support.microsoft.com/servicedesks/technet/default.asp?fr=0&sd=tech
How-to: Windows 2000 DNS:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;308201

yannacci · Mar 1, 2004

Is there any way to prevent him from circumventing my security? Thi
guy is an idiot and doesn't really know what he is doing. Instead o
spending hours trying to figure out what he is doing, I would like t
disable his ability to do this. Thanks.

Ken

Roland said:
*"yannacci" wrote:
: He is using a function in ColdFusion. I am not too familiar wit
this
: package.

I'm not either but in general terms, you can ask, is he making the
comparison or is the OS? If the OS is doing it, then there is a
issue. If
he is doing it, then it's not complete and he is circumventing your
security.

--
Roland Hall
/* This information is distributed in the hope that it will b
useful, but
without any warranty; without even the implied warranty o
merchantability
or fitness for a particular purpose. */
Online Support for IT Professionals -
http://tinyurl.com/233aa
How-to: Windows 2000 DNS:
http://tinyurl.com/2w96b

-
yannacc

Roland Hall · Mar 2, 2004

:
: Is there any way to prevent him from circumventing my security? This
: guy is an idiot and doesn't really know what he is doing. Instead of
: spending hours trying to figure out what he is doing, I would like to
: disable his ability to do this. Thanks.

Well, first things first. First, block him from getting to this NG thread!
(O:=
If he is the developer, and you do not have control over the development,
you're not going to be very successful unless you have someone in your dept
that can talk to someone over him at a peer level.

What works for me, when I don't have control of someone, but it does
directly affect my work/position, is I ask how they are doing something. I
like to do it in email so there's a record of his response.

Hey Joe, when user's authenticate when trying to logon to _________, they
appear to have infinite retries singing on. Can you tell me how you're
testing the authentication so perhaps I can make some adjustments on my end?

Ok, up front this looks like you're BSing him but you didn't classify what
the adjustments were. They would be how to handle your argument to have
changes made immediately. Managers, especially those without a clue, don't
understand when you talk technical. However, if you write it down, throw in
a PowerPoint presentation with some animation (probably hackers penetrating
a logical layout of the LAN similar to PacMan...hehe), then the point hits
home. However, and this is key, you MUST have an alternative solution.
It's normally not good enough to say, "I don't know what the answer is but
this isn't it." So, if you can get some code snippets, which should be able
to do even without [him] providing it and have someone render a professional
opinion and a solution, it should, in a perfect world, be a piece of cake.

I do not offer any information that is not crucial. If he is a developer,
explaining it is a security issue is a waste of time. He may be only doing
what he is told which means your words will fall on deaf ears. The worst
thing would be for him to pacify you and then not do anything to correct it.
I have worked with these types of people on more than one occasion. Never
deal directly with them. Deal with someone above them who can dictate
orders if you're on their peer level. If not, pass it to your boss and let
him deal with it. DO NOT verbalize it to your boss. Write a report, give
your professional opinion, list the facts and let it go. If it's not
important to someone over you, then you have removed yourself from any
responsibility. Unfortunately, sometimes that's all that can be done.

Good luck!