Domain User password guessed

nt-guessed-domain-userpwd (1329)

High Risk

Description:

A Domain User account has a password that has been guessed. Weak passwords allow attackers unauthorized access, including the ability to take over and replace processes, and access other computers on the network.

Consequences:

Remedy:

Change the password to a more secure password as required by your security policy. Require a minimum length for all passwords and set up a password filter to enforce password complexity. If your security policy does not specify a minimum length, ISS recommends a minimum of at least seven characters.

To change the password and set the minimum password length, follow the steps below, appropriate for your platform.

For Windows NT:

1. Open User Manager. (From the Windows NT Start menu, select Programs, Administrative Tools (Common), User Manager.)
2. Select the user account from the list.
3. From the Policies menu, select Account to display the Account Policy dialog box.
4. Set the Minimum Password Length as required by your security policy.
5. Click OK.
6. From the User menu, select Properties to display the User Properties dialog box.
7. Type and confirm a non-trivial password.
8. Click OK.

For a Windows 2000 domain:

1. Start Active Directory Users and Computers Management Console (dsa.msc) from a command prompt.
2. Double-click on Users folder.
3. Right-click on user Object of interest.
4. Select Reset Password to change the user password.
5. Type in new password and confirm password.
6. Click on OK to save the setting.

For a stand-alone Windows 2000 computer:

1. Start Local Users and Groups Management Console (lusrmgr.msc) from a command prompt.
2. Double-click on Users folder.
3. Right-click on user object of interest.
4. Select Set Password to change the user password.
5. Type in new password and confirm password.
6. Click on OK to save the setting.

For Windows 2000, follow the additional steps below to set the minimum password length.

For a Windows 2000 domain:

1. Start Microsoft Management Console (MMC).
2. Add Group Policy Snap-in.
3. Browse Group Policy Objects.
4. Select the Domain Policy of interest.
5. Traverse the following path:
   Computer Configuration, Windows Settings, Security Settings, Account Policies, Password Policy, and Minimum Password Length.
6. Set the Minimum Password Length to desired value. If your security policy does not specify a minimum password length, ISS recommends a minimum of at least seven characters.
7. Set all other password values in accordance with your security policy.

For a stand-alone Windows 2000 computer:

1. On the computer of interest, start gpedit.msc. The focus is local computer by default.
2. Traverse the following path:
   Computer Configuration, Windows Settings, Security Settings, Account Policies, Password Policy, and Minimum Password Length.
3. Set the Minimum Password Length to desired value. If your security policy does not specify a minimum password length, ISS recommends a minimum of at least seven characters.
4. Set all other password values in accordance with your security policy.

— AND —

For Windows NT:

For maximum password security, apply the passfilt.dll password filter, as explained in Microsoft Knowledge Base Article Q161990. See References.

For a Windows 2000 domain:

1. Start Microsoft Management Console (MMC).
2. Add Group Policy Snap-in.
3. Browse Group Policy Objects.
4. Select the Domain Policy of interest.
5. Traverse the following path:
   Computer Configuration, Windows Settings, Security Settings, Account Policies, Password Policy, and Password must meet complexity.
6. Enable the option Password must meet complexity requirements..

For a stand-alone Windows 2000 computer:

1. On the computer of interest, start gpedit.msc. The focus is local computer by default.
2. Traverse the following path:
   Computer Configuration, Windows Settings, Security Settings, Account Policies, Password Policy, and Password must meet complexity.
3. Enable the option Password must meet complexity requirements..

References:

• Microsoft Knowledge Base Article 161990: How to Enable Strong Password Functionality in Windows NT.
• CVE-1999-0505: A Windows NT domain user or administrator account has a guessable password.

Platforms Affected:

• Microsoft Windows 2000
• Microsoft Windows 2003 Server
• Microsoft Windows 95
• Microsoft Windows 98
• Microsoft Windows 98SE
• Microsoft Windows Me
• Microsoft Windows NT 4.0
• Microsoft Windows XP

Reported:

Not available

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page