[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Hack Microsoft?



At 10:33 AM 9/26/95 EDT, Dan Bailey wrote:
>On Tue, 26 Sep 1995 00:04:08 -0400 (EDT) you wrote:
>
>>
>>
>>   Microsoft recently got C2-security status approved for Windows NT by
>>the National Computer Security Center, a division of the NSA. They
>>are supposed to put systems through "laborious testing and review" before
>>  If Cypherpunks can find flaws that the NSA can't, or won't divulge,
>>what does that say about their so-called COMSEC ability.
>>
>For fun ways to hack NT, check out http://www.somar.com/security.html.
> Some of these are really laughable.  You can use NT's LogonUser API
>call to repeatedly guess passwords until you hit it, since NT offers
>no way to limit number of login attempts.

   I don't believe that's correct; under User Manager, select
the Account option under the Policies menu item; it lets you
select whether to lock-out the account after a given number
of invalid logon attempts, and to set the number.  The main
problem here is that by default, I don't believe the 'lock out'
option is enabled (and thus, brute-force attempts at Guest
or a similar account might indeed work).

rj
---------------------------------------------------------
R. J. Harvey               email:  [email protected]
WWW for job analysis/personality:  http://harvey.psyc.vt.edu/
PGP key at http://harvey.psyc.vt.edu/RJsPGPkey.txt