[unisog] Threat vector of running a service using a domain account
Gaddis, Jeremy L.
jeremy at linuxwiz.net
Fri Sep 14 23:35:17 GMT 2007
On 9/13/07, Paul FM <paulfm at me.umn.edu> wrote:
> term brute force). Also - cached log-ins are timed out separately. I
> caused an account to be locked out - then tried using it on a machine on
> which the login was cached and I was able to log in repeatedly. I had to try
> to log in several times with the wrong password to lock it out on that
> machine (even though the account was already locked out on the domain). So,
> although account lockout is usefull; it has a few problems that you should be
> aware of.
Problem: cached logons allow a locked out/disabled user to log on.
Solution: disable caching
Win2K: "Number of previous logons to cache", set to 0
Win2K3: "Interactive logon: Number of previous logons to cache", set to 0.
(note that that's off the top of my head and could be slightly wrong)
-j
--
Jeremy L. Gaddis, MCP, GCWN
http://www.jeremygaddis.com/
More information about the unisog
mailing list