[4074] in bugtraq
Re: NT
daemon@ATHENA.MIT.EDU (Y W Ko)
Thu Feb 20 11:27:13 1997
Date: Thu, 20 Feb 1997 11:12:33 -0000
Reply-To: Y W Ko <ko@MARCH.CO.UK>
From: Y W Ko <ko@MARCH.CO.UK>
X-To: "stuart@brody.sonnet.co.uk" <stuart@brody.sonnet.co.uk>
To: BUGTRAQ@netspace.org
Hi all,
>-----Original Message-----
>From: stuart@brody.sonnet.co.uk [SMTP:brody@GPO.SONNET.CO.UK]
>Sent: Wednesday, February 19, 1997 4:22 PM
>To: BUGTRAQ@NETSPACE.ORG
>Subject: NT
>
>I don't know if you people out there no this - until I rattled
>Microsofts cage they didn't know that much either:
>
>Problem Description: When using the NET USER command to query users
>in-correct information is returned. If NET USER is used in another
>way then the user id is corrupted. (not given as I don't want to
>assist anybody wrecking their own domain)
>
><<<< snip >>>>>
>
>Text:
>
>In a recent audit of user accounts on a clients site a queried users
>using the NET USER command (NET USER <UserID> /DOMAIN) to establish
>when users last logged into the domain, after trying 10 users
>(including my own) it soon became apparent that the returning values
>were extremely suspect, NT was claiming that the last login date and
>time was NEVER, even though I was signed onto the system.
>
><<<< snip >>>>>>>
>
However, if this is rubbish then how does NT then determine when users
passwords expire (how does NT work out what date to get the user to
change password on) and how does the Audit Log/Event Viewer then log
when a user signs in, for this situation the check would need to be
done 8 times; the consequences of which undermine the C2 compliance
and opens a whole can of worms.
<<<< snip >>>>
It is actually more confusing than that. The following is quoted from
the SDK on line help that comes with VC++ 4.2:
< start quote >
USER_INFO_3
:
:
usri3_bad_pw_count
Specifies the number of attempts to log on to this account using an
incorrect password. .....
This member is maintained separately on each Backup Domain Controller
(BDC) in the domain. To get an accurate value, each BDC in the domain
must be queried, and the largest value is used.
< end quote >
The last bit, that "the largest value is used", is really
mind-boggling.
This applies to other logon information such as, number of logons and
last logon/logoff time. I can sort of see some logic for last
logon/logoff
time. But the fact that one of the BDC contains the largest bad password
or
num logon counts is beyond me.
In any case, does all this mean that if one of the BDC which contains
"some" of these "largest values" goes down, we won't be able to
accurately
validate such important logon information.
>
>Stuart Ross
>inquiry@brody.sonnet.co.uk
>
>Cheers,
> Ko
