Browse Prior Art Database

Audit Failed Password Change Attempts

IP.com Disclosure Number: IPCOM000104087D
Original Publication Date: 1993-Mar-01
Included in the Prior Art Database: 2005-Mar-18
Document File: 2 page(s) / 31K

Publishing Venue

IBM

Related People

Herrick, T: AUTHOR [+3]

Abstract

There is currently a hole in the Local Area Network (LAN) Server* Security scheme via the NetUserPasswordSet Application Programming Interface (API). The NetUserPasswordSet API can be called repetitevely by any user until the password or the account is determined.

This text was extracted from an ASCII text file.
This is the abbreviated version, containing approximately 93% of the total text.

Audit Failed Password Change Attempts

      There is currently a hole in the Local Area Network (LAN)
Server* Security scheme via the NetUserPasswordSet Application
Programming Interface (API).  The NetUserPasswordSet API can be
called repetitevely by any user until the password or the account is
determined.

      To solve this security problem, failed password change attempts
need to be audited.  This means defining a new audit entry since none
exist that are appropriate to this case.  The computername the
request came from and the userid on which the password change was
attempted should be audited.  The failed password change attempts can
be audited by making the following code changes:

      Add a new comment (the second line of each audit record
displayed by the net audit command) to the existing audit type

"Account", which will keep track of failed password change attempts.
The new comment will be displayed by net audit as shown below:

User ID                    Type                        Date
---------------------------------------------------------------------
-

GUEST                      Account                     07-29-92
01:15pm
    Failed password change(REQID, USER01)
where:

GUEST  - The User ID who called the API 'NetUserPasswordSet' This
field will contain REQID if a user was not logged on.

REQID  - The computername of the client from where the API was
i...