Monday 16 May 2011

userAccountControl and the "no password required" value (bypassing password policy)

To find out if there are AD accounts on your system that may be allowed to have blank passwords in spite of having a restrictive password policy in place, list all users with userAccountControl value(s) using something like Softerra LDAP Browser or Somarsoft DumpSec. First connect to a DC, select attributes, and then create a report.

Softerra - Directory Search


An example of a filter:

(&(objectClass=User)(!(objectClass=computer))(!(msExchResourceSearchProperties=Equipment))(!(msExchResourceSearchProperties=Room)))

Softerra - Select attributes


DumpSec - Select attributes


An example of uAC values and their descriptions (find more in the MS article below):


If you have a password policy in place and you try to set a blank password for a normal (512) account using ADUC and admin credentials, you will get a pop-up error saying “The password does not meet password policy requirements.” If you try this with an account which has the uAC set to “password not required”, the Active Directory will accept a blank password.

If an account is configured with the uAC set to “no password required”, the user still won’t be able to change her password to a blank one using the Windows 7 change password feature.

If you have an account with a blank password and the uAC set to “password not required”, and you try to change the uAC value to “password required”, you will get an error saying “Unable to update the password. The value provided for the new password does not meet the length…”. This is a useful piece of info because it lets you know that there was an account with a blank password. Once you set a password that meets the password policy requirements, you can change the uAC value to “password required”.

The uAC value can be changed through ADSIEdit, in case there are not many of these accounts, or it can be scripted. If you decide to write a script, remember that System accounts such as “Internet Guest Account“ are supposed to have the uAC set to “no password required” so make sure you don't modify the system accounts.

How to use the UserAccountControl flags to manipulate user account properties
Softerra LDAP Browser
SomarSoft DumpSec

Monday 2 May 2011

Windows System Time

Windows includes W32Time, the Time Service tool that is required by the Kerberos authentication protocol. The purpose of the Windows Time service is to make sure that all computers that are running Microsoft Windows 2000 or later versions in an organization use a common time.

To guarantee appropriate common time usage, the Windows Time service uses a hierarchical relationship that controls authority, and the Windows Time service does not permit loops. By default, Windows-based computers use the following hierarchy:

• All client desktop computers nominate the authenticating domain controller as their in-bound time partner.
• All member servers follow the same process that client desktop computers follow.
• All domain controllers in a domain nominate the primary domain controller (PDC) operations master as their in-bound time partner.
• All PDC operations masters follow the hierarchy of domains in the selection of their in-bound time partner.

In this hierarchy, the PDC operations master at the root of the forest becomes authoritative for the organization. We highly recommend that you configure the authoritative time server to gather the time from a hardware source. When you configure the authoritative time server to sync with an Internet time source, there is no authentication. We also recommend that you reduce your time correction settings for your servers and stand-alone clients. These recommendations provide more accuracy and security to your domain.

Configure the PDCe FSMO role holder in the forest root domain to synchronize with an external time source:


1. Change the server type to NTP

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type

Default value: NT5DS (internal synchronisation using Windows hierarchy)

Set to: NTP (synchronise with an external source using NTP; effectively turns NTP server on)


2. Set AnnounceFlags to 5

This entry controls whether this computer is marked as a reliable time server. A computer is not marked as reliable unless it is also marked as a time server. Since 0x01 = Always time server and 0x04 = Always reliable time server, a setting of 5 indicates always a time server and always a reliable time server. The default value for domain members is 10. The default value for stand-alone clients and servers is 10.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\AnnounceFlags

Deafault value: 10
Set to: 5


3. Enable NTPServer

This entry indicates if the NtpServer provider is enabled in the current Time Service. The default value on domain members is 1. The default value on stand-alone clients and servers is 1.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer\Enabled

Default value: 1


4. Specify the time sources

This entry specifies a space-delimited list of peers from which a computer obtains time stamps, consisting of one or more DNS names or IP addresses per line.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer

Note Peers is a placeholder for a space-delimited list of peers from which your computer obtains time stamps. Each DNS name that is listed must be unique. You must append ,0x1 to the end of each DNS name. If you do not append ,0x1 to the end of each DNS name, the changes made in step 5 will not take effect.


5. Select the poll interval

This entry specifies the special poll interval in seconds for manual peers. When the SpecialInterval 0x1 flag is enabled, W32Time uses this poll interval instead of a poll interval determine by the operating system. The default value on domain members is 3,600. The default value on stand-alone clients and servers is 604,800.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpClient\SpecialPollInterval

Default value: 3600 (seconds)
Set to: 900 (seconds)

Note TimeInSeconds is a placeholder for the number of seconds that you want between each poll. A recommended value is 900 Decimal. This value configures the Time Server to poll every 15 minutes.


6. Configure the time correction settings

This entry specifies the largest positive time correction in seconds that the service makes. If the service determines that a change larger than this is required, it logs an event instead.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxPosPhaseCorrection

Default value: 4294967295 (seconds)
Set to: 1800 (seconds)

This entry specifies the largest negative time correction in seconds that the service makes. If the service determines that a change larger than this is required, it logs an event instead.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config\MaxNegPhaseCorrection

Default value: 4294967295 (seconds)
Set to: 1800 (seconds)

Note TimeInSeconds is a placeholder for a reasonable value, such as 1 hour (3600) or 30 minutes (1800). The value that you select will depend upon the poll interval, network condition, and external time source.


7. At the command prompt, type the following command to restart the Windows Time service, and then press ENTER:

net stop w32time && net start w32time

If you need to configure some or all hosts to synchronise with a specific external or internal time source or you want to ensure that all hosts use Windows Domain hierarchy at all times or force synchronisation across sites, you can configure and enforce Windows Time Service settings through GPO.

Configuring an Authoritative Time Server with Group Policy Using WMI Filtering
High Accuracy W32time Requirements
How to configure an authoritative time server in Windows Server
How the Windows Time Service Works
NTP Pool Project
Preset values for the Windows Time service Group Policy settings are different from the corresponding Windows Time service registry entries in Windows Server 2003
Windows Time Service and Internet Communication
Windows Time Service Technical Reference
Windows Time Service Tools and Settings