Security Alert: Windows 2000 Expired Password Vulnerability

[Maha]

We have remote user using NORTON VPN client to connect
network. Some user are facing problem when they tried to
connecct exchange server through outlook.
Getting msg your password expire.

There is no password policy applied.

User is able to login off line with cach account to domain.
After connected VPN open up outlook
Normally it does't ask to enter username, password, domain.
Now it is asking enter username password domian
after entred password msg says your password is expire.
Is ther any patch available for this issue?
when user tried to login locallyby chnaging log on to this
computer then after suddanly user can not even logon off
line to domain with cach accoutnt?

Can anyone help on this issue pls

OS winows 2000 prof
Domain win2k

 

[Robert Moir]

We have remote user using NORTON VPN client to connect
network. Some user are facing problem when they tried to
connecct exchange server through outlook.
Getting msg your password expire.

There is no password policy applied.

User is able to login off line with cach account to domain.
After connected VPN open up outlook
Normally it does't ask to enter username, password, domain.
Now it is asking enter username password domian
after entred password msg says your password is expire.
Is ther any patch available for this issue?
when user tried to login locallyby chnaging log on to this
computer then after suddanly user can not even logon off
line to domain with cach accoutnt?

Can anyone help on this issue pls

If this only happens to people going through the norton VPN client i'd
suggest the issue, and the people to ask for help, is with them.

I've not seen any such issues using the microsoft VPN client via ISA server.

By the way, why is this a "Security Alert", or a "Vulnerability"? Which
network service has its security compromised by this?
--
--
Rob Moir, Microsoft MVP for servers & security
Website - http://www.robertmoir.co.uk
Virtual PC 2004 FAQ - http://www.robertmoir.co.uk/win/VirtualPC2004FAQ.html

Kazaa - Software update services for your Viruses and Spyware.

 

[Steven L Umbach]

I have never seen a password expire for a windows user account where there
was no maximum password age. You might check your policy again. Domain
policy for domain users is set at the domain level and for local users can
be set at the local or OU level. Net accounts will show password policy on a
particular computer or for the domain on a domain controller and for an
individual user use net user username to check and see if the password has
actually expired. You can also configure domain or local accounts to have
their password never expire in the account properties.

I am not familiar with Norton vpn client but with the built in W2K/XP Pro
client I believe you can change domain password if you select the option to
logon to the domain in the vpn connectoid. You may want to contact Norton to
see how to work around expired domain passwords when you logon with cached
credentials. I don't understand what you consider a vulnerability with W2K.
Were you able to compromise the domain somehow?? -- Steve