headers
Rob Keith | 15 Jul 2009 16:59
Picon
Favicon

SecurityFocus Microsoft Newsletter #448

SecurityFocus Microsoft Newsletter #448
----------------------------------------

This issue is sponsored by Ironkey

INTRODUCING THE WORLD'S ONLY FIPS 140-2 LEVEL 3 VALIDATED USB FLASH DRIVE

Designed to meet the needs of military, government and demanding enterprise users, the IronKey. S200
series USB flash drives have passed the stringent Security Level 3 tests for the FIPS 140-2
standard. A rugged, tamper-resistant and tamper-evident enclosure protects the critical components,
while strong AES 256-bit hardware encryption and active malware defenses safeguard even the most
sensitive data. Enterprise-class central management capabilities also make it easy to enforce
security policies on fleets of drives and even remotely destroy drives in the field.

Learn more at https://www.ironkey.com/S200_Launch

------------------------------------------------------------------
I.   FRONT AND CENTER
       1. Hacker-Tool Law Still Does Little
       2. A Botnet by Any Other Name
II.  MICROSOFT VULNERABILITY SUMMARY
       1. Icarus '.icp' File Remote Stack Buffer Overflow Vulnerability
       2. Mozilla Firefox 3.5 'Tracemonkey' Component Remote Code Execution Vulnerability
       3. LibTIFF Multiple Remote Integer Overflow Vulnerabilities
       4. Wyse Device Manager Unspecified Remote Buffer Overflow Vulnerability
       5. Microsoft Office Web Components ActiveX Control 'msDataSourceObject' Code Execution
Vulnerability
       6. Pirch IRC Client Remote Buffer Overflow Vulnerability
       7. Microsoft ISA Server Radius OTP Authentication Bypass Vulnerability
       8. Microsoft Internet Explorer 'AddFavorite' Method Denial of Service Vulnerability
(Continue reading)

Permalink | Reply | 0 comments |
headers
GrowlieGirl | 16 Jul 2009 06:23
Picon

Forcing Password Changes for Non-Interacitve Logons

I have googled and googled but cannot find the answer to this one, hoping you can help.
We have ADS password policy enforced whereby the user has to change their password every 60 days. If they
have not changed their password after this time their account is locked. Unfortunately the users with
non-interactive accounts do not get the notification to change their password nor can they get to the
change password facility that the interactive logon users can use. Is there any way to notify the users and
have them carry out a password change?
Permalink | Reply | 4 comments |
headers
Mark Holmes | 21 Jul 2009 00:55
Picon
Picon

Re: Forcing Password Changes for Non-Interacitve Logons

Hi,

We have a similar issue at my place - not all users are joined to the  
domain, so don't do an interactive logon.  I use a vb script which  
runs nightly and checks AD for users whose password is due to expire,  
it sends email reminders 14 7 3 and 2 days before expiry via email  
(pulls the users address from AD).  They then go to a secure page on  
our intranet to change their password.

Cheers,

Mark

On 20 Jul 2009, at 23:32, "GrowlieGirl <at> gmail.com"  
<GrowlieGirl <at> gmail.com> wrote:

> I have googled and googled but cannot find the answer to this one,  
> hoping you can help.
> We have ADS password policy enforced whereby the user has to change  
> their password every 60 days. If they have not changed their  
> password after this time their account is locked. Unfortunately the  
> users with non-interactive accounts do not get the notification to  
> change their password nor can they get to the change password  
> facility that the interactive logon users can use. Is there any way  
> to notify the users and have them carry out a password change?

On 20 Jul 2009, at 23:32, "GrowlieGirl <at> gmail.com"  
<GrowlieGirl <at> gmail.com> wrote:

> I have googled and googled but cannot find the answer to this one,
(Continue reading)

Permalink | Reply | 2 comments |
headers
Kurt Buff | 21 Jul 2009 01:06
Picon

Re: Forcing Password Changes for Non-Interacitve Logons

On Wed, Jul 15, 2009 at 21:23, <GrowlieGirl <at> gmail.com> wrote:
> I have googled and googled but cannot find the answer to this one, hoping you can help.
> We have ADS password policy enforced whereby the user has to change their password
> every 60 days. If they have not changed their password after this time their account is locked.
> Unfortunately the users with non-interactive accounts do not get the notification to change
> their password nor can they get to the change password facility that the interactive logon
> users can use. Is there any way to notify the users and have them carry out a password
> change?

Not directly as far as I'm aware, but there are a ton of free tools in
the world that will allow you to filter your user base according to
the age of their password - check, for instance, joeware.net, and
google for netpwage.exe, among many others.

Wrap that up in a script with one of my favorite tools - blat.exe - to
send each person an email for several days before it expires, and
Bob's yer uncle.

There are probably commercial tools as well, but I don't know that
space well at all.

Kurt
Permalink | Reply | 0 comments |
headers
Kosala Atapattu | 21 Jul 2009 05:48
Picon

Re: Forcing Password Changes for Non-Interacitve Logons

Care to share the script :).

Kosala

On Tue, Jul 21, 2009 at 1:55 AM, Mark
Holmes<mark.holmes <at> nuffield.ox.ac.uk> wrote:
> Hi,
>
> We have a similar issue at my place - not all users are joined to the
> domain, so don't do an interactive logon.  I use a vb script which
> runs nightly and checks AD for users whose password is due to expire,
> it sends email reminders 14 7 3 and 2 days before expiry via email
> (pulls the users address from AD).  They then go to a secure page on
> our intranet to change their password.
>
> Cheers,
>
> Mark
>
>
> On 20 Jul 2009, at 23:32, "GrowlieGirl <at> gmail.com"
> <GrowlieGirl <at> gmail.com> wrote:
>
>> I have googled and googled but cannot find the answer to this one,
>> hoping you can help.
>> We have ADS password policy enforced whereby the user has to change
>> their password every 60 days. If they have not changed their
>> password after this time their account is locked. Unfortunately the
>> users with non-interactive accounts do not get the notification to
>> change their password nor can they get to the change password
(Continue reading)

Permalink | Reply | 1 comment |
headers
Mark Holmes | 21 Jul 2009 12:44
Picon
Picon

RE: Forcing Password Changes for Non-Interacitve Logons

Hi,  

Sure - see

http://www.nuffield.ox.ac.uk/users/holmes/reportpasswordchange.zip

There are three files, the .vbs, which you will need to edit to suit your environment, a text file which is the
text that will be included in the email sent to the user, and a .bat file which just calls the script - this
batch file should be run as a scheduled task in the context of a user with read access to AD.

I have edited out much of the config for security reasons, you will need to have a look at the .vbs and change
settings where appropriate - ie your domain, the password expiry no of days etc - it's all pretty straightforward.

You will need to create a secure password reset page, we use a .NET control to achieve this.  Note the page will
need to run in the context of a user with *write* access to AD.

There are other scripts out there that do this, just Google 'password expiry script' or similar.

Regards,

Mark

-----Original Message-----
From: Kosala Atapattu [mailto:kosala.atapattu <at> gmail.com] 
Sent: 21 July 2009 04:48
To: Mark Holmes
Cc: GrowlieGirl <at> gmail.com; focus-ms <at> securityfocus.com
Subject: Re: Forcing Password Changes for Non-Interacitve Logons

Care to share the script :).
(Continue reading)

Permalink | Reply | 0 comments |
headers
Rob Keith | 23 Jul 2009 19:27
Picon
Favicon

SecurityFocus Microsoft Newsletter #449

SecurityFocus Microsoft Newsletter #449
----------------------------------------

This issue is sponsored by IronKey

INTRODUCING THE WORLD'S ONLY FIPS 140-2 LEVEL 3 VALIDATED USB FLASH DRIVE

Designed to meet the needs of military, government and demanding enterprise users, the IronKey? S200
series USB flash drives have passed the stringent Security Level 3 tests for the FIPS 140-2
standard. A rugged, tamper-resistant and tamper-evident enclosure protects the critical components,
while strong AES 256-bit hardware encryption and active malware defenses safeguard even the most
sensitive data. Enterprise-class central management capabilities also make it easy to enforce
security policies on fleets of drives and even remotely destroy drives in the field.

Learn more at https://www.ironkey.com/S200_Launch?ik_c=s200_launch&ik_s=security_focus&ik_t=newsletter

------------------------------------------------------------------
I.   FRONT AND CENTER
       1.The Scale of Security
       2.Hacker-Tool Law Still Does Little
II.  MICROSOFT VULNERABILITY SUMMARY
       1. World in Conflict Typecheck Remote Denial of Service Vulnerability
       2. Wireshark 1.2.0 Multiple Vulnerabilities
       3. Google Chrome Privilege Escalation Weakness
       4. MightSOFT Audio Editor Pro MP3 File Unspecified Memory Corruption Vulnerability
       5. Icarus '.icp' File Remote Stack Buffer Overflow Vulnerability
       6. Mozilla Firefox 3.5 'TraceMonkey' Component Remote Code Execution Vulnerability
       7. LibTIFF Multiple Remote Integer Overflow Vulnerabilities
       8. Microsoft Office Web Components ActiveX Control 'msDataSourceObject' Code Execution
Vulnerability
(Continue reading)

Permalink | Reply | 0 comments |

Gmane