Mini123 Posted April 23, 2006 Share Posted April 23, 2006 Found a security problemWhen you get your password is going to expire warning and you choose to change it when you get the change password box you can enter another users user name and their existing password and change it.How can this be stopped? Link to comment Share on other sites More sharing options...
cconk01 Posted April 23, 2006 Share Posted April 23, 2006 The best way to stop it would ensure your password isnt known by others. In order for that to work you have to type in your current password and then your new password. If you dont know the users password you cant change it. Link to comment Share on other sites More sharing options...
Mini123 Posted April 23, 2006 Author Share Posted April 23, 2006 My domain has the domain name blacked out is there a function to black out the user name or make sure that the box is empty? Link to comment Share on other sites More sharing options...
JuMz Posted April 24, 2006 Share Posted April 24, 2006 you can enter another users user name and their existing password and change it.How can this be stopped?Well, the user shouldn't know another users name and password?? Link to comment Share on other sites More sharing options...
HyperHacker Posted April 24, 2006 Share Posted April 24, 2006 Yeah, if you know their password, you've already breached all manner of security. Link to comment Share on other sites More sharing options...
nmX.Memnoch Posted April 24, 2006 Share Posted April 24, 2006 (edited) Agreed..."blacking out" the user name wouldn't do any good. If you know the password already there's nothing stopping you from logging in as that user and changing the password. Sharing passwords is one of the biggest security problems there is...it's a matter of educating your users not to do this. Edited April 24, 2006 by nmX.Memnoch Link to comment Share on other sites More sharing options...
Mini123 Posted April 24, 2006 Author Share Posted April 24, 2006 Agreed..."blacking out" the user name wouldn't do any good. If you know the password already there's nothing stopping you from logging in as that user and changing the password. Sharing passwords is one of the biggest security problems there is...it's a matter of educating your users not to do this.The user cant change their password in windows that is not an option on the control alt delete menu.But they can sure make life harder for the admins just thought there might be a method to blocking it out to make it harder for the end user to change their password Link to comment Share on other sites More sharing options...
nmX.Memnoch Posted April 24, 2006 Share Posted April 24, 2006 I'm having a hard time understanding why you would want to keep them from changing their password. Most places require that passwords be changed on a schedule (usually at most every 90 days). It's good security practice to change them as often as possible without it being annoying. Link to comment Share on other sites More sharing options...
Mini123 Posted April 25, 2006 Author Share Posted April 25, 2006 (edited) Ok,I am in a domain at work I get a warning every month ish telling me my password will expireWhen i click yes to change the password i get a windows default change password screen i can take out my user name of the user name box and put another users in and change theirsI am going to tell the admin but i need to know if there is a way to black out the user name box or stop it being edited so i can help my administratorHope thats a bit clearerI don't want the user to not be able to change their password just stop them changing other users passwords Edited April 25, 2006 by Mini123 Link to comment Share on other sites More sharing options...
nmX.Memnoch Posted April 25, 2006 Share Posted April 25, 2006 Well the next question would be...Why do you know other users' passwords? That in and of itself is the problem. Link to comment Share on other sites More sharing options...
Mini123 Posted April 25, 2006 Author Share Posted April 25, 2006 I don't this is a student environment so people are going to try and get on other user accounts to delete files to get back at other peopleI don't know any passwords Link to comment Share on other sites More sharing options...
nmX.Memnoch Posted April 25, 2006 Share Posted April 25, 2006 You're misunderstanding how the Change Password screen works.You have to know the current password before you can change it to a new one. So don't worry, you can't just put in a user name and change the password. Link to comment Share on other sites More sharing options...
Mini123 Posted April 25, 2006 Author Share Posted April 25, 2006 I know how the screen worksAll i am asking is there a command you can put into the domain security policy to black out the user name box or stop it being edited Link to comment Share on other sites More sharing options...
HyperHacker Posted April 26, 2006 Share Posted April 26, 2006 Hm, if you can change a different account's password at that prompt, I wonder if doing so would bypass the need to change your own? Link to comment Share on other sites More sharing options...
Mini123 Posted April 26, 2006 Author Share Posted April 26, 2006 No you still get the expiry time if you change someone elses it doesnt reset yours Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now