blank password in W2K Pro workstation even when policy set

[Guest]

previously mis-posted to the VPC group......

I'm trying to work with some folks who are being required to lock down their
Win2K workstations. The guidelines however were written as though the
workstations were on a domain and not standalone.

The real kicker is that after setting local password policies such as min
length, complexity etc, the local admin can create a new user account with a
blank password via "Users and Passwords". And yes, "Require users to logon
with a password" is checked.

I've been able to recreate this with a Virtual PC load Win2K SP3 and SP4.
With the local pocily set to a minimum length of 8 characters and copmlexity
rules turned on I'm able to create a user with a blank password.

I didn't think that would be allowed by that policy. Ideas??? Suggestions??

thanks,
Kim

 

[Steven L Umbach]

I have heard about this behavior more than a few times so I just tested it
out on a W2K SP4 computer of mine. I was able to get password policy to work
and I specifically enabled password complexity and set the minimum password
length to seven characters. When I tried to add a user with a blank or less
than prescribed password I was not allowed to. What I did do is to run the
command secedit /refreshpolicy machine_policy /enforce to make sure that the
security policy was applied or a reboot should do the same thing. On your
computer run the command net accounts to see what it shows and also check
the password policy settings in Local Security policy to make sure that the
local setting and effective setting are the same which it should be after a
forced GP refresh or reboot. --- Steve

 

[Guest]

I did as you suggested. I still have the same failure.

here's the result of net accounts on the machine I'm testing this on:
======
C:\Documents and Settings\Administrator>net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 8
Length of password history maintained: None
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: WORKSTATION
The command completed successfully.
=========

my actions
Open Control Panel
Open Users and Passwords
Click on Add...
Add a user and leave nothing in the password field. accepting all defaults.
User is created and can be logged on.

If I go through Local Users and Groups then I have to make a password
compliant with the rules.

wierd. And the contractor is going to require a waiver on his NISPOM audit
on this machine if we don't figure this out.

thanks,
Kim

 

[Joe Richards [MVP]]

Sounds like the accounts are created with UF_PASSWD_NOTREQD set on the user flags.

joe

 

[Steven L Umbach]

I have never used Control Panel to add users so I tried it and it works just
as you described - user account with no password. Even worse the account is
not configured to require user to change password at next logon and the user
is added to the power users group. I was able to logon as the user with a
blank password. I also tried XP Pro. In XP Pro you can also create a user
with a blank password but the account is configured to require the user to
change password at next logon. So I tried to logon as the user under XP Pro
and was immediately told I need to change my password and it had to conform
to password policy. Also by default XP Pro will not allow network access via
a user account with a blank password. So XP Pro is much more secure than
Windows 2000 in the regard of creating user accounts that conform to
password policy. All I can suggest is that you try to configure Group Policy
to restrict access to the Control Panel as described in the link below or
have them upgrade to XP Pro which would be the best option. --- Steve

 

[Guest]

All I can suggest is that you try to configure Group Policy
to restrict access to the Control Panel as described in the link below or
have them upgrade to XP Pro which would be the best option. --- Steve

I didn't see the link. Moving to XP Pro is not an option for this
application. It's part of a training system and has to reflect the deployed
system. Since it's an outside contractor they have to pass a DSS NISPOM
audit. The audit document was written to cover workstaion and domain
clients. This case obviously was not tested for workstations.

thanks,
Kim

 

[Steven L Umbach]

Sorry. See the link below though doing this only hides Control Panel or only
displays specified applets which is better than nothing and hopefully will
suffice. At least if the examine Local Security Policy they will see that is
set to compliance. --- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;261241&sd=tech