Craig Box's journeys, stories and notes...


Tags: , , , , ,

3 Responses to “Slashback”

  1. Ian McDonald says:

    OK I've been thinking about the Windows password restoration and agree that it would be brilliant especially after working on sites with up to 1500 users....

    And I also disagree with the MVPs as it must be stored in a file somewhere even if it is the registry (which is also a file).

    As I see it there's two ways to do this:
    1) Use tools such as filemon/regmon from Sys Internals (now part of Microsoft) to see what is being accessed when a password is changed. Also look at what black hat hackers are doing to crack windows server passwords as they would have some clues - in particular their brute force tools should indicate where they are stored if their is source code
    2) Bypass Windows passwords and use some sort of SSO (single sign on) tool. I understand Windows can use external Kerebos/LDAP type tools quite easily even though I haven't tried. You could then write the scripts on the *nix box to do the work as that would be relatively simple. This one might meet oposition though from people as they don't want to replace their authentication structure but might be easier to change.

    I just wish I had thought of the idea first as I agree it is a great idea!

  2. Craig says:

    The first post says exactly that - read the DIT file off disk. Entirely too much effort when it should be possible.

    I know simple SSO stuff just auths against Windows in the same way Windows does. More complicated password sync probably replaces LSASS code, which is what the second post says. Over my level of programming ability anyway!

  3. [...] Tried this.  At present, there is no way for the Administrator to change someone's password, store the original hash, and set it back at a later date.  I think it's worth implementing though. [...]

Leave a Reply