Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: NT
From: ko () MARCH CO UK (Y W Ko)
Date: Thu, 20 Feb 1997 11:12:33 -0000


Hi all,

-----Original Message-----
From:  stuart () brody sonnet co uk [SMTP:brody () GPO SONNET CO UK]
Sent:  Wednesday, February 19, 1997 4:22 PM
To:    BUGTRAQ () NETSPACE ORG
Subject:       NT

I don't know if you people out there no this - until I rattled
Microsofts cage they didn't know that much either:

Problem Description: When using the NET USER command to query users
in-correct information is returned.  If NET USER is used in another
way then the user id is corrupted.  (not given as I don't want to
assist anybody wrecking their own domain)

<<<< snip >>>>>

Text:

In a recent audit of user accounts on a clients site a queried users
using the NET USER command (NET USER <UserID> /DOMAIN) to establish
when users last logged into the domain, after trying 10 users
(including my own) it soon became apparent that the returning values
were extremely suspect, NT was claiming that the last login date and
time was NEVER, even though I was signed onto the system.

<<<< snip >>>>>>>

However, if this is rubbish then how does NT then determine when users
passwords expire (how does NT work out what date to get the user to
change password on) and how does the Audit Log/Event Viewer then log
when a user signs in, for this situation the check would need to be
done 8 times; the consequences of which undermine the C2 compliance
and opens a whole can of worms.

<<<< snip >>>>

It is actually more confusing than that. The following is quoted from
the SDK on line help that comes with VC++ 4.2:

< start quote >

USER_INFO_3
:
:
usri3_bad_pw_count
Specifies the number of attempts to log on to this account using an
incorrect password. .....
This member is maintained separately on each Backup Domain Controller
(BDC) in the domain. To get an accurate value, each BDC in the domain
must be queried, and the largest value is used.

< end quote >

The last bit, that "the largest value is used",  is really
mind-boggling.
This applies to other logon information such as, number of logons and
last logon/logoff time. I can sort of see some logic for last
logon/logoff
time. But the fact that one of the BDC contains the largest bad password
or
num logon counts is beyond me.
In any case, does all this mean that if one of the BDC which contains
"some" of these "largest values" goes down, we won't be able to
accurately
validate such important logon information.

Stuart Ross
inquiry () brody sonnet co uk

Cheers,
              Ko



  By Date           By Thread  

Current thread:
  • Re: NT Y W Ko (Feb 20)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]