User Account Lockout Problem

Hi All,

I have application which logon remotely, but when the password is wrong and
the retry reaches the account lockout count the account gets locked. Is
there any User Mode security API to validate the credentials.

Thanks
Sandy

Do you want to validate the credentials without incrementing the account lockout counter when the password is wrong? AFAIK there is no such API because it could allow an attacker to use it to do a brute force attack. Anyway in user mode you can use the *LogonUser* API to validate a credential, however it will increment the account lockout counter (if it is configured in the Default Domain Policy GPO) when the password is wrong.

-George

Sandy Kumar wrote:

Hi All,

I have application which logon remotely, but when the password is wrong
and the retry reaches the account lockout count the account gets locked.
Is there any User Mode security API to validate the credentials.

Thanks
Sandy

Why this app does so many logon attempts?
Retries exist mainly for fat-fingered humans. Once the app received
logon error, it should not bang it’s head against the wall.

–PA

Not that bypasses account lockout checking, unless you do some major hackery in lsass, AFAIK.

Why do you think that you need to do this? There may be a better design approach that you could use.

? S


From: Sandy Kumar
Sent: Wednesday, January 14, 2009 04:17
To: Windows System Software Devs Interest List
Subject: [ntdev] User Account Lockout Problem

Hi All,

I have application which logon remotely, but when the password is wrong and the retry reaches the account lockout count the account gets locked. Is there any User Mode security API to validate the credentials.

Thanks
Sandy
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Skywing

Thanks for your suggestion…
But can you suggest one of the design that you metioned.

Thanks
Sandy
On Wed, Jan 14, 2009 at 9:23 PM, Skywing wrote:

> Not that bypasses account lockout checking, unless you do some major
> hackery in lsass, AFAIK.
>
> Why do you think that you need to do this? There may be a better design
> approach that you could use.
>
> ? S
>
> ------------------------------
> From: Sandy Kumar
> Sent: Wednesday, January 14, 2009 04:17
> To: Windows System Software Devs Interest List
> Subject: [ntdev] User Account Lockout Problem
>
> Hi All,
>
> I have application which logon remotely, but when the password is wrong and
> the retry reaches the account lockout count the account gets locked. Is
> there any User Mode security API to validate the credentials.
>
> Thanks
> Sandy
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

That depends on why exactly you?re trying to do this. For example, what in your design requires you to repeatedly try logging on the same accounts over and over again until they get locked out? Is that *really* required, or might you be able to avoid doing that?

  • S

From: xxxxx@lists.osr.com [mailto:xxxxx@lists.osr.com] On Behalf Of Sandy Kumar
Sent: Thursday, January 15, 2009 1:19 AM
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] User Account Lockout Problem

Skywing

Thanks for your suggestion…
But can you suggest one of the design that you metioned.

Thanks
Sandy
On Wed, Jan 14, 2009 at 9:23 PM, Skywing > wrote:
Not that bypasses account lockout checking, unless you do some major hackery in lsass, AFAIK.

Why do you think that you need to do this? There may be a better design approach that you could use.

? S
________________________________
From: Sandy Kumar >
Sent: Wednesday, January 14, 2009 04:17
To: Windows System Software Devs Interest List >
Subject: [ntdev] User Account Lockout Problem
Hi All,

I have application which logon remotely, but when the password is wrong and the retry reaches the account lockout count the account gets locked. Is there any User Mode security API to validate the credentials.

Thanks
Sandy
— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

— NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and other seminars visit: http://www.osr.com/seminars To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Skywing wrote:

That depends on why exactly you’re trying to do this. For example,
what in your design requires you to repeatedly try logging on the same
accounts over and over again until they get locked out? Is that
**really** required, or might you be able to avoid doing that?

Here’s my guess as to his situation. He’s caching username and password
information. His driver runs at a site that enforces password
expiration. When the password expires and the user changes the
password, his app tries to login and ends up locking the account. He’s
trying to find a way to “test” the password without really submitting it.

Unfortunately, as someone else has pointed out, allowing that facility
would open up the door to dictionary-type attacks.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.

In such a case, the OP could check the return status from logging on and decline to retry (remove cached data) if it fails, particularly if it fails with expired, locked out, or logon failure.

? S

-----Original Message-----
From: Tim Roberts
Sent: Thursday, January 15, 2009 09:38
To: Windows System Software Devs Interest List
Subject: Re: [ntdev] User Account Lockout Problem

Skywing wrote:
>
> That depends on why exactly you?re trying to do this. For example,
> what in your design requires you to repeatedly try logging on the same
> accounts over and over again until they get locked out? Is that
> really required, or might you be able to avoid doing that?
>

Here’s my guess as to his situation. He’s caching username and password
information. His driver runs at a site that enforces password
expiration. When the password expires and the user changes the
password, his app tries to login and ends up locking the account. He’s
trying to find a way to “test” the password without really submitting it.

Unfortunately, as someone else has pointed out, allowing that facility
would open up the door to dictionary-type attacks.


Tim Roberts, xxxxx@probo.com
Providenza & Boekelheide, Inc.


NTDEV is sponsored by OSR

For our schedule of WDF, WDM, debugging and other seminars visit:
http://www.osr.com/seminars

To unsubscribe, visit the List Server section of OSR Online at http://www.osronline.com/page.cfm?name=ListServer

Skywing

Thanks for your suggestion.
I understood avoiding repeated attemps to logon is what the solution is.

Thanks
Sandy.

On Thu, Jan 15, 2009 at 1:01 PM, Skywing wrote:

> That depends on why exactly you’re trying to do this. For example, what
> in your design requires you to repeatedly try logging on the same accounts
> over and over again until they get locked out? Is that really
> required, or might you be able to avoid doing that?
>
>
>
> - S
>
>
>
> From: xxxxx@lists.osr.com [mailto:
> xxxxx@lists.osr.com] *On Behalf Of *Sandy Kumar
> Sent: Thursday, January 15, 2009 1:19 AM
> To: Windows System Software Devs Interest List
> Subject: Re: [ntdev] User Account Lockout Problem
>
>
>
> Skywing
>
>
>
> Thanks for your suggestion…
>
> But can you suggest one of the design that you metioned.
>
>
>
> Thanks
>
> Sandy
>
> On Wed, Jan 14, 2009 at 9:23 PM, Skywing
> wrote:
>
> Not that bypasses account lockout checking, unless you do some major
> hackery in lsass, AFAIK.
>
> Why do you think that you need to do this? There may be a better design
> approach that you could use.
>
> ? S
> ------------------------------
>
> *From: *Sandy Kumar
> *Sent: *Wednesday, January 14, 2009 04:17
> *To: *Windows System Software Devs Interest List
> *Subject: *[ntdev] User Account Lockout Problem
>
> Hi All,
>
>
>
> I have application which logon remotely, but when the password is wrong and
> the retry reaches the account lockout count the account gets locked. Is
> there any User Mode security API to validate the credentials.
>
>
>
> Thanks
>
> Sandy
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> —
>
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
>
> — NTDEV is sponsored by OSR For our schedule of WDF, WDM, debugging and
> other seminars visit: http://www.osr.com/seminars To unsubscribe, visit
> the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>
> —
> NTDEV is sponsored by OSR
>
> For our schedule of WDF, WDM, debugging and other seminars visit:
> http://www.osr.com/seminars
>
> To unsubscribe, visit the List Server section of OSR Online at
> http://www.osronline.com/page.cfm?name=ListServer
>

Here is the deal. Your app MUST NOT use cached credentials, this is SO WRONG from the security point. The machine where it’s running should be a member of a domain. The app should run under computer account and should log in as a “domain computer” to the other host. If you use a named pipe, you won’t have to input any credentials and keep them somewhere.