Security – Lock Workstation Glitch? (AD/Windows XP)


I was playing with a lab setup recently (Windows 2003 R2 x32 SP2, Windows XP SP3, Active Directory) and noticed that if I locked the workstation, the following strange behaviour appeared:

  1. I have a lockout policy that says
    that an account is locked after three
    invalid attempts. When trying this
    when unlocking the workstation, the
    workstation correctly says the
    account is locked after three invalid
    attempts, but it lets me continue
    trying passwords
    . If I eventually
    type in the correct password, it
    unlocks the workstation.

  2. If I change the user's password while
    the workstation is locked, both
    the old and new password will unlock
    the workstation.

  3. If I disable the user's account while
    the workstation is locked, they can
    still log in and continue to access

Is this behaviour correct or just a bug in my setup? Any pointers on how to mitigate this problem?

The attack vector to exploit #1 would be if the hacker has a set list of maybe 200 or so possible passwords based on combinations of the user's birthday, kids names, whatever. They then try each of these passwords, in turn, to see if they are right (maybe using a USB keyboard wedge to automate it).

Because they are not locked out after three attempts, they can keep trying until they get the password. Once they have the password, they just wait for the user to get their account unlocked by the admin, then they can login as the user.

The issue with #2 and #3 would be if, say, someone just got fired and you wanted to prevent them from taking files with them, and disabled their account/changed their password, they could still access the files if their workstation was locked (or I assume if they were already logged into their computer).

Best Answer

I don't believe this is a bug.

The difference is that the account lock out policy applies to new sessions with new auth and login under default circumstances.

In the case of a locked workstation, there's already an active, logged-in session on the box.

This can apparently be changed by the "ForceUnlockLogon" registry setting. Toggling this requires a workstation unlocking to get re-auth from the DC and thereby avoids the use of old, cached credentials.

In the case of a locked LOCAL account in the workstation, you can add the following registry value into HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies:

DisablePasswordCaching DWORD 00000001

Quick googling turned up this paper by MS over at sysoptools:

It has details relating to logons, account lockout policy, and discussions of settings that can come into play.

Additional Note re: #3 (also covered in the linked paper): a locked-out user may still gain access if their still-valid kerberos ticket has not expired.