The password history check *should* still be performed from what I know, but it is possible for a user to simply go through and change their password 18 times so they can use the old one again. To combat this you also need to set a minimum password age in your policy. If you set the minimum password age to 1 month they will not be able to reset their password for at least 1 month each time and then you guarantee that it will be 18 months until they can re-use the old password again. Tony Bradley, MCSE, MCSA, MCP, A+ Threat & Vulnerability Monitor EDS GM Global Information Protection Programme "The price of success is hard work, dedication to the job at hand, and the determination that whether we win or lose, we have applied the best of ourselves to the task at hand." ~ Vince Lombardi ~ -----Original Message----- From: Leonid Mamtchenkov [mailto:leonid@francoudi.com] Sent: Thursday, March 07, 2002 2:41 AM To: bugtraq@securityfocus.com Subject: Windows 2000 password policy bypass possibility Hello All, I have noticed the following behavior with Windows 2000 and I am not yet sure whether that is a bug or a feature. It is possible to create a security policy regarding passwords for Windows 2000, that will require users to use secure passwords, which should be periodically changed. It is also possible to make Windows remember several previous passwords (18 in our case). Now, when time comes for user to change the password, system checks whether or not new password is among those 18 old ones. If it is not, and password satisfies other conditions, then password changes. It is possible for user though to change the password without waiting for it to expire. When changing this password, password history check is not done, but check for all other conditions is performed. Is this issue serious enough to be forwarded to Microsoft, or is it supposed to work this way? -- Best regards, Leonid Mamtchenkov, RHCE System Administrator Francoudi & Stephanou Ltd.
