[4069] in bugtraq
NT
daemon@ATHENA.MIT.EDU (stuart@brody.sonnet.co.uk)
Wed Feb 19 18:57:00 1997
Date: Wed, 19 Feb 1997 16:22:14 0
Reply-To: stuart@brody.sonnet.co.uk
From: "stuart@brody.sonnet.co.uk" <brody@GPO.SONNET.CO.UK>
To: BUGTRAQ@NETSPACE.ORG
I don't know if you people out there no this - until I rattled
Microsofts cage they didn't know that much either:
Problem Description: When using the NET USER command to query users
in-correct information is returned. If NET USER is used in another
way then the user id is corrupted. (not given as I don't want to
assist anybody wrecking their own domain)
Domain Set-up:
1 PDC
7 BDC's 4 of which all live on the same hub.
NT Version:
Server 3.51 service pack 5
Text:
In a recent audit of user accounts on a clients site a queried users
using the NET USER command (NET USER <UserID> /DOMAIN) to establish
when users last logged into the domain, after trying 10 users
(including my own) it soon became apparent that the returning values
were extremely suspect, NT was claiming that the last login date and
time was NEVER, even though I was signed onto the system.
After a meeting with the local NT specialist at this company we both
done investigation work and queried another domain at the PDC level
and got back answers that we were expecting. We returned to the PDC
and BDC's of the domain in question and ran the NET USER <UserID>
command locally on each server. From the findings it would appear
that each server would have a different date and time of last login of
each user, i.e.: no consistency. After much investigation it
transpires that the NET USER command only runs the query at the PDC,
therefore all information given by the PDC will only be from one
source, i.e.: Itself. Everyone that was under the
assumption/understanding that the PDC held the most up-to-date record
of users login times are wrong.
However, if this is rubbish then how does NT then determine when users
passwords expire (how does NT work out what date to get the user to
change password on) and how does the Audit Log/Event Viewer then log
when a user signs in, for this situation the check would need to be
done 8 times; the consequences of which undermine the C2 compliance
and opens a whole can of worms.
All servers are running the same date and time using the "NET TIME"
command.
Microsoft replied:
BDC's do not hold read only data of the SAM, they hold read/write. So
when a user has to change there password (i.e. they have exceeded the
maximum password age) they send the new password to the BDC. Upon
synchronisation the BDC updates are sent to the PDC before being
replicated to other servers; operation normal(?!)
Although Auditing Policy may state that Login and Logout are to be
logged, there is no CENTRAL log for this event, therefore if you've
got 8 servers you got to compare 8 Event Logs!; again operation normal
according to Microsoft.
Microsoft - make life easier - keep things centralised!, put these
controls into a place that makes it easy for both administrator and
auditor alike to do there job!!!!!
Stuart Ross
inquiry@brody.sonnet.co.uk
