Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: ADSI question

from [Paul Aviles] Network Security [Permanent Link]
Subject: RE: ADSI question
Date: Thu, 26 Aug 2004 08:10:33 -0400 
Arthur thanks,
Well, is for documentation purposes. For audit and documentation
purposes it needs to be done. The client is on AD already but if we
enable strong password doesn't that mean that all the passwords that do
not meet the criteria get disabled? That has been my experience in the
past..

Thanks
-pa

-----Original Message-----
From: afreyman@dsw.net [mailto:afreyman@dsw.net] 
Sent: Wednesday, August 25, 2004 8:13 PM
To: Paul Aviles; focus-ms@securityfocus.com
Subject: RE: ADSI question


I don't believe you can use ADSI to accomplish that. That's a pretty
useful idea, but definitely a security risk. The closest you probably
can come to that is to perhaps run the MBSA tool against your server. I
know that it reports if a user has a weak or a blank password for SQL,
but I am not certain about the domain passwords. A more drastic approach
would be to run a password cracker against your SAM and see what types
of passwords are out there. 

But I don't really understand why you need to do that. I am sure someone
will correct me if I am wrong, but complexity requirements are enforced
when a password is changed or created. Existing passwords can remain the
same. New rules will apply when the passwords expire or a new account is
created.


You are correct about the install of AD in the new environment. As far
as the in-place upgrade, my best guess is that Windows 2003 will enable
the complexity requirements regardless of your previous security policy.
It shouldn't be too much of a problem though. You can leave the policy
in place and wait for user's password to expire or you can disable it
right after your upgrade completes. 


Arthur Freyman


-----Original Message-----
From: Paul Aviles [mailto:paviles@adjoined.com] 
Sent: Wednesday, August 25, 2004 9:31 AM
To: focus-ms@securityfocus.com
Subject: ADSI question

Is it possible to use ADSI to query user accounts and find if they are
using a strong password? Before using GPO's to enable it, I need to have
an audit and show how many people don't have them.  Is this a property
of the users?

Also, I believe that when you install AD in a new environment by default
it has strong password enabled. Is that the same when you do an in place
migration?

Thanks

Paul

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---

---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: ADSI question, Bruce K. Marshall
Next by Date:  RE: ADSI question, Laura A. Robinson
Previous by Thread:  RE: ADSI question, Laura A. Robinson
Next by Thread:  RE: ADSI question, c0ncept
Indexes:  [Date] [Thread] [Top] [All Lists]