I was playing with a lab setup recently (Windows 2003 R2 x32 SP2, Windows XP SP3, Active Directory) and noticed that if I locked the workstation, the following strange behaviour appeared:
-
I have a lockout policy that says
that an account is locked after three
invalid attempts. When trying this
when unlocking the workstation, the
workstation correctly says the
account is locked after three invalid
attempts, but it lets me continue
trying passwords. If I eventually
type in the correct password, it
unlocks the workstation. -
If I change the user's password while
the workstation is locked, both
the old and new password will unlock
the workstation. -
If I disable the user's account while
the workstation is locked, they can
still log in and continue to access
resources.
Is this behaviour correct or just a bug in my setup? Any pointers on how to mitigate this problem?
The attack vector to exploit #1 would be if the hacker has a set list of maybe 200 or so possible passwords based on combinations of the user's birthday, kids names, whatever. They then try each of these passwords, in turn, to see if they are right (maybe using a USB keyboard wedge to automate it).
Because they are not locked out after three attempts, they can keep trying until they get the password. Once they have the password, they just wait for the user to get their account unlocked by the admin, then they can login as the user.
The issue with #2 and #3 would be if, say, someone just got fired and you wanted to prevent them from taking files with them, and disabled their account/changed their password, they could still access the files if their workstation was locked (or I assume if they were already logged into their computer).
Best Answer
I don't believe this is a bug.
The difference is that the account lock out policy applies to new sessions with new auth and login under default circumstances.
In the case of a locked workstation, there's already an active, logged-in session on the box.
This can apparently be changed by the "ForceUnlockLogon" registry setting. Toggling this requires a workstation unlocking to get re-auth from the DC and thereby avoids the use of old, cached credentials.
In the case of a locked LOCAL account in the workstation, you can add the following registry value into HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\policies:
DisablePasswordCaching DWORD 00000001
Quick googling turned up this paper by MS over at sysoptools: http://www.sysoptools.com/support/files/Account%20Passwords%20and%20Policies%20In-Depth.doc
It has details relating to logons, account lockout policy, and discussions of settings that can come into play.
Additional Note re: #3 (also covered in the linked paper): a locked-out user may still gain access if their still-valid kerberos ticket has not expired.