| Author | Messages | |
andymwood
Posts:0
 | | 04/21/2008 4:04 PM |
| Hi list,
Is it possible to prevent users from changing their password on a specific
server/workstation? Not simply "disable the Windows Security, change
password' option - but to actively prevent users from seeing/interacting
with *any* 'your password has expired/is expiring' notification?
I have a customer who wants to provide terminal server access to their
secured environment. They have put in place a service by which users enter
their logon using a virtual keyboard, as a method of mitigating a keyboard
logger logging the password being entered. They have presented their
applications in such a way as to accept the level of risk using the terminal
services applications. However, if the user is prompted to change their
password as part of the authentication process the user can enter & change
their password; which they want to avoid.
Is it/could it be possible to prevent this functionality? e.g. in a similar
way that you can force users to only log on from certain workstations, to be
able to explicitly reference which servers they cannot change their password
from? I realise that this potentially locks the user out, but this is
preferable to allowing the user the option of changing their password while
not physically in the office.
I realise that we may have to modify the logon script - in which case - is
it possible to determine (in the logon script) what the password expiration
time is?
Any advice/assistance you could give would be splendid.
Andrew
Gilwood CS Ltd
Registered Office : Mount Ashbrooke, Holmland Buildings, Tunstall Road,
Sunderland, UK, SR2 7RR. No. 6099397 England
| | | |
| andymwood
Posts:0
| | 04/21/2008 6:31 PM |
| As far as the password and virtual keyboard - it doesn't stop video or
snooping yes - but it does prevent keyboard snooping which is better than
nothing
Yes, if the logon script has run its 'too late' - but then if we can catch a
recent password change in the script I'm thinking we could at least log the
user off, or generate an alert - it seems that the password change event
doesn't get written if the user is prompted to change their password due to
it being about to expire, or it has expired :?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Tony Gordon
Sent: 21 April 2008 23:08
To: ActiveDir@mail.activedir.org
Subject: Re: [ActiveDir] Restricting where user passwords can be modified
from
Not that it is answering your question, but use of the virtual keyboard is
not much of a mitigation.
It is possible to determine the expiration time (just add maxpwdage - domain
wide value to the lastpwdreset value for that user). Maybe I do not fully
understand the flow here, but if you try to do it in the logon script is it
not too late? If the logon script is running the user already interacted
with the logon process and possible reset their password.
Thank you, Tony.
Tony Gordon
Windows 2003 & 2000 MCSE, Windows 2003 MCSA, PMP
ITS Infrastructure Engineering
Hewitt Associates | 100 Half Day Road | Lincolnshire, IL 60069 | USA
Tel 847.295.5000 x50526 | Fax 847.554.1574
tony dot gordon at hewitt dot com | www.hewitt.com
From:
"Andrew Wood" <andrew.wood@gilwood-cs.co.uk>
To:
ActiveDir@mail.activedir.org
Date:
04/21/2008 03:15 PM
Subject:
[ActiveDir] Restricting where user passwords can be modified from
_____
Hi list,
Is it possible to prevent users from changing their password on a specific
server/workstation? Not simply "disable the Windows Security, change
password' option - but to actively prevent users from seeing/interacting
with *any* 'your password has expired/is expiring' notification?
I have a customer who wants to provide terminal server access to their
secured environment. They have put in place a service by which users enter
their logon using a virtual keyboard, as a method of mitigating a keyboard
logger logging the password being entered. They have presented their
applications in such a way as to accept the level of risk using the terminal
services applications. However, if the user is prompted to change their
password as part of the authentication process the user can enter & change
their password; which they want to avoid.
Is it/could it be possible to prevent this functionality? e.g. in a similar
way that you can force users to only log on from certain workstations, to be
able to explicitly reference which servers they cannot change their password
from? I realise that this potentially locks the user out, but this is
preferable to allowing the user the option of changing their password while
not physically in the office.
I realise that we may have to modify the logon script - in which case - is
it possible to determine (in the logon script) what the password expiration
time is?
Any advice/assistance you could give would be splendid.
Andrew
Gilwood CS Ltd
Registered Office : Mount Ashbrooke, Holmland Buildings, Tunstall Road,
Sunderland, UK, SR2 7RR. No. 6099397 England
_____
The information contained in this e-mail and any accompanying documents may
contain information that is confidential or otherwise protected from
disclosure. If you are not the intended recipient of this message, or if
this message has been addressed to you in error, please immediately alert
the sender by reply e-mail and then delete this message, including any
attachments. Any dissemination, distribution or other use of the contents of
this message by anyone other than the intended recipient is strictly
prohibited. All messages sent to and from this e-mail address may be
monitored as permitted by applicable law and regulations to ensure
compliance with our internal policies and to protect our business. E-mails
are not secure and cannot be guaranteed to be error free as they can be
intercepted, amended, lost or destroyed, or contain viruses. You are deemed
to have accepted these risks if you communicate with us by e-mail.
| | | |
| listmail
Posts:463
| | 04/22/2008 1:40 AM |
| You can play with the expiry notice but you can't muck with where a user can
change a password from. The authentication/authorization is only about WHO
the person is, not WHO combined with WHERE. The only way I could think of to
get around this would be to disable the ability for users to change their
own passwords and then force them through a web site that would do the
validation of where the user is.
If you want to muck with expiration, you can use secpol.msc or normal group
policy, look for the Security Option "Interactive Logon: Prompt user to
change password before expiration" or if you want, just go to the reg value
hklm/software/windows nt/current version/winlogon/passwordexpirywarning
which is a REG_DWORD and is specified in days.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Andrew Wood
Sent: Monday, April 21, 2008 4:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Restricting where user passwords can be modified from
Hi list,
Is it possible to prevent users from changing their password on a specific
server/workstation? Not simply "disable the Windows Security, change
password' option - but to actively prevent users from seeing/interacting
with *any* 'your password has expired/is expiring' notification?
I have a customer who wants to provide terminal server access to their
secured environment. They have put in place a service by which users enter
their logon using a virtual keyboard, as a method of mitigating a keyboard
logger logging the password being entered. They have presented their
applications in such a way as to accept the level of risk using the terminal
services applications. However, if the user is prompted to change their
password as part of the authentication process the user can enter & change
their password; which they want to avoid.
Is it/could it be possible to prevent this functionality? e.g. in a similar
way that you can force users to only log on from certain workstations, to be
able to explicitly reference which servers they cannot change their password
from? I realise that this potentially locks the user out, but this is
preferable to allowing the user the option of changing their password while
not physically in the office.
I realise that we may have to modify the logon script - in which case - is
it possible to determine (in the logon script) what the password expiration
time is?
Any advice/assistance you could give would be splendid.
Andrew
Gilwood CS Ltd
Registered Office : Mount Ashbrooke, Holmland Buildings, Tunstall Road,
Sunderland, UK, SR2 7RR. No. 6099397 England
| | | |
| DhirajHaritwal
Posts:44
| | 04/22/2008 3:53 AM |
| Hi Joe,
Can we use this reg key to hklm/software/Microsoft/windows nt/current
version/winlogon/passwordexpirywarning show a warning message while
logging into mailbox in outlook on a workgroup machine?
Dhiraj
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Tuesday, April 22, 2008 11:06 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Restricting where user passwords can be
modified from
You can play with the expiry notice but you can't muck with where a user
can change a password from. The authentication/authorization is only
about WHO the person is, not WHO combined with WHERE. The only way I
could think of to get around this would be to disable the ability for
users to change their own passwords and then force them through a web
site that would do the validation of where the user is.
If you want to muck with expiration, you can use secpol.msc or normal
group policy, look for the Security Option "Interactive Logon: Prompt
user to change password before expiration" or if you want, just go to
the reg value hklm/software/windows nt/current
version/winlogon/passwordexpirywarning which is a REG_DWORD and is
specified in days.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Andrew Wood
Sent: Monday, April 21, 2008 4:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Restricting where user passwords can be modified
from
Hi list,
Is it possible to prevent users from changing their password on a
specific server/workstation? Not simply "disable the Windows Security,
change
password' option - but to actively prevent users from seeing/interacting
with *any* 'your password has expired/is expiring' notification?
I have a customer who wants to provide terminal server access to their
secured environment. They have put in place a service by which users
enter their logon using a virtual keyboard, as a method of mitigating a
keyboard logger logging the password being entered. They have presented
their applications in such a way as to accept the level of risk using
the terminal services applications. However, if the user is prompted to
change their password as part of the authentication process the user
can enter & change their password; which they want to avoid.
Is it/could it be possible to prevent this functionality? e.g. in a
similar way that you can force users to only log on from certain
workstations, to be
able to explicitly reference which servers they cannot change their
password from? I realise that this potentially locks the user out, but
this is
preferable to allowing the user the option of changing their password
while not physically in the office.
I realise that we may have to modify the logon script - in which case -
is it possible to determine (in the logon script) what the password
expiration time is?
Any advice/assistance you could give would be splendid.
Andrew
Gilwood CS Ltd
Registered Office : Mount Ashbrooke, Holmland Buildings, Tunstall Road,
Sunderland, UK, SR2 7RR. No. 6099397 England
-------------------------------------------------------------------
This email is confidential and intended only for the use of the individual or entity named above and may contain information that is privileged. If you are not the intended recipient, you are notified that any dissemination, distribution or copying of this email is strictly prohibited. If you have received this email in error, please notify us immediately by return email or telephone and destroy the original message. - This mail is sent via Sony Asia Pacific Mail Gateway.
-------------------------------------------------------------------
| | | |
| andymwood
Posts:0
| | 04/22/2008 7:22 AM |
| Thats a fair point for about to expire; but if the user account has expired
I still need the same method. Sadly - can't disable password changes as that
would be for the whole domain surely?
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: 22 April 2008 06:36
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Restricting where user passwords can be modified
from
You can play with the expiry notice but you can't muck with where a user can
change a password from. The authentication/authorization is only about WHO
the person is, not WHO combined with WHERE. The only way I could think of to
get around this would be to disable the ability for users to change their
own passwords and then force them through a web site that would do the
validation of where the user is.
If you want to muck with expiration, you can use secpol.msc or normal group
policy, look for the Security Option "Interactive Logon: Prompt user to
change password before expiration" or if you want, just go to the reg value
hklm/software/windows nt/current version/winlogon/passwordexpirywarning
which is a REG_DWORD and is specified in days.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Andrew Wood
Sent: Monday, April 21, 2008 4:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Restricting where user passwords can be modified from
Hi list,
Is it possible to prevent users from changing their password on a specific
server/workstation? Not simply "disable the Windows Security, change
password' option - but to actively prevent users from seeing/interacting
with *any* 'your password has expired/is expiring' notification?
I have a customer who wants to provide terminal server access to their
secured environment. They have put in place a service by which users enter
their logon using a virtual keyboard, as a method of mitigating a keyboard
logger logging the password being entered. They have presented their
applications in such a way as to accept the level of risk using the terminal
services applications. However, if the user is prompted to change their
password as part of the authentication process the user can enter & change
their password; which they want to avoid.
Is it/could it be possible to prevent this functionality? e.g. in a similar
way that you can force users to only log on from certain workstations, to be
able to explicitly reference which servers they cannot change their password
from? I realise that this potentially locks the user out, but this is
preferable to allowing the user the option of changing their password while
not physically in the office.
I realise that we may have to modify the logon script - in which case - is
it possible to determine (in the logon script) what the password expiration
time is?
Any advice/assistance you could give would be splendid.
Andrew
Gilwood CS Ltd
Registered Office : Mount Ashbrooke, Holmland Buildings, Tunstall Road,
Sunderland, UK, SR2 7RR. No. 6099397 England
| | | |
| listmail
Posts:463
| | 04/24/2008 10:39 AM |
| I don't believe so. That would be a function of Outlook, not the OS.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Haritwal, Dhiraj
Sent: Tuesday, April 22, 2008 3:48 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Restricting where user passwords can be modified
from
Hi Joe,
Can we use this reg key to hklm/software/Microsoft/windows nt/current
version/winlogon/passwordexpirywarning show a warning message while logging
into mailbox in outlook on a workgroup machine?
Dhiraj
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of joe
Sent: Tuesday, April 22, 2008 11:06 AM
To: ActiveDir@mail.activedir.org
Subject: RE: [ActiveDir] Restricting where user passwords can be modified
from
You can play with the expiry notice but you can't muck with where a user can
change a password from. The authentication/authorization is only about WHO
the person is, not WHO combined with WHERE. The only way I could think of to
get around this would be to disable the ability for users to change their
own passwords and then force them through a web site that would do the
validation of where the user is.
If you want to muck with expiration, you can use secpol.msc or normal group
policy, look for the Security Option "Interactive Logon: Prompt user to
change password before expiration" or if you want, just go to the reg value
hklm/software/windows nt/current version/winlogon/passwordexpirywarning
which is a REG_DWORD and is specified in days.
--
O'Reilly Active Directory Third Edition -
http://www.joeware.net/win/ad3e.htm
_____
From: ActiveDir-owner@mail.activedir.org
[mailto:ActiveDir-owner@mail.activedir.org] On Behalf Of Andrew Wood
Sent: Monday, April 21, 2008 4:01 PM
To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] Restricting where user passwords can be modified from
Hi list,
Is it possible to prevent users from changing their password on a specific
server/workstation? Not simply "disable the Windows Security, change
password' option - but to actively prevent users from seeing/interacting
with *any* 'your password has expired/is expiring' notification?
I have a customer who wants to provide terminal server access to their
secured environment. They have put in place a service by which users enter
their logon using a virtual keyboard, as a method of mitigating a keyboard
logger logging the password being entered. They have presented their
applications in such a way as to accept the level of risk using the terminal
services applications. However, if the user is prompted to change their
password as part of the authentication process the user can enter & change
their password; which they want to avoid.
Is it/could it be possible to prevent this functionality? e.g. in a similar
way that you can force users to only log on from certain workstations, to be
able to explicitly reference which servers they cannot change their password
from? I realise that this potentially locks the user out, but this is
preferable to allowing the user the option of changing their password while
not physically in the office.
I realise that we may have to modify the logon script - in which case - is
it possible to determine (in the logon script) what the password expiration
time is?
Any advice/assistance you could give would be splendid.
Andrew
Gilwood CS Ltd
Registered Office : Mount Ashbrooke, Holmland Buildings, Tunstall Road,
Sunderland, UK, SR2 7RR. No. 6099397 England
_____
This email is confidential and intended only for the use of the individual
or entity named above and may contain information that is privileged. If you
are not the intended recipient, you are notified that any dissemination,
distribution or copying of this email is strictly prohibited. If you have
received this email in error, please notify us immediately by return email
or telephone and destroy the original message. - This mail is sent via Sony
Asia Pacific Mail Gateway.
_____
| | | |
|
|