NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FOCUS-MS> 2000-q2

Subject: Re: restrict anonymous
From: David Parker (dcparkermctHOTMAIL.COM)
Date: Tue Jun 13 2000 - 13:45:24 CDT

Next message: Tom Burns: "Re: Security-Log Event-ID 528"
Previous message: George Hasapidis: "Re: Virus Detection in Exchange Server 4.0"
Maybe reply: David Parker: "Re: restrict anonymous"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Out of the box NT 4.0 server already requires a user to sign on and be
authenticated before they can change their password. They have several ways
to change their Domain password:

1) They can log in and then use there client method to change their Domain
password (eg Control Panel ... Passwords... in Win 95)

2) When their password is approaching expiriy, they are given a warning, and
a chance to change their password.

3) If their password has expired, or if the Administrator has checked "User
Must Change Password at next login", then the user will be forced to change
their password before they can log in. Here is where the fun begins.

Unfortunately the checkbox you are refering to in User Manager for Domains
... Account ... Policy dialog box, applies Catch 22 to scenerio 3. 1 and 2
are unaffected. But if "User Must Logon to Change password" checkbox is on,
and the password has expired, then they must:

- log in before they can change their password
- change their password before they can log in

See the problem? Result, more frustration for end users more administrivia
for help desk / sysAdmin.

Recommendation: Do not check this box, there is no security gain.

INHO

David C. Parker
Technical Trainer
Edmonton, Alberta, CANADA
dcparkermcthotmail.com

>From: Gu1tarb0yAOL.COM
>Reply-To: Focus on Microsoft Mailing List <FOCUS-MSSECURITYFOCUS.COM>
>To: FOCUS-MSSECURITYFOCUS.COM
>Subject: Re: restrict anonymous
>Date: Mon, 12 Jun 2000 16:13:37 EDT
>
>re: prevent users (in some circumstances) from changing their passwords
>when
> they expire. It returns an error stating that "You do not have
>permission to
> change your password.
>
> Is it possible that in User Manager for Domains, you have the box at the
> bottom checked that requires that users be logged in successfully before
>they
> can change their passwords? After all, that is an excellent security
> practice.
>
> Jim McFarlen

________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com

Next message: Tom Burns: "Re: Security-Log Event-ID 528"
Previous message: George Hasapidis: "Re: Virus Detection in Exchange Server 4.0"
Maybe reply: David Parker: "Re: restrict anonymous"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]