Friday, 13 August 2010

"You do not have permission to change your password"

I haven’t posted anything in a while, sorry about that. I’ll try to post more often. :-)

We had a call recently regarding users changing their expired password whilst logging on to a computer attached to another domain. Unfortunately or fortunately, depending on which way you look at it, almost all of our clients are Windows XP, so our initial response to these sort of queries is to ask the Local IT Administrator to fully patch the client experiencing the problem. Taking an XP client to SP3 usually solves most of the problems listed on TechNet for this particular error.

Unfortunately, patching didn’t work in this instance, and we weren’t sure why this was happening, so we logged a call with Premier Support. One of the articles we had missed in our initial investigations was highlighted to us by Microsoft - http://support.microsoft.com/kb/555340/en-gb

The article explained that we needed to reverse a change that was made on our Domain Controllers by the application of Server 2003 Service Pack 1 that had cleared the list of Pipes configured on the “Network Access: Named pipes that can be accessed anonymously” property in our Default Domain Controllers Policy. The article explains that we should enable the new defaults introduced in Windows Server 2003 SP1 (COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC, BROWSER, NETLOGON, Lsarpc, samr) for that property to restore the ability for users logging on to a computer from another domain to change their password when it has expired.

The reason this happens is because an expired password prompt on a client appears before a user has actually logged on. To change the password at this point, a computer from another domain has to open a null session with a domain controller in the domain of the user, using an Anonymous connection to those named pipes that were removed with the installation of SP1.

You may ask, why I’m posting about this when it’s already detailed in the TechNet article above. Not entirely happy that we would enable anonymous access to all of the Named Pipes listed in the article, we asked Microsoft to identify specifically what Pipes we needed to enable to resolve the issue regarding changing expired passwords from computers on other domains. They came back to us with only two Pipes that needed to be enabled, LSARPC and SAMR.

These Named Pipes that allowed null sessions, have specific vulnerabilities and exploits that exist, hence the reason for their removal by Microsoft. In the end we decided not to make the change and migrate the affected computers to the users domain, but i thought it would be interesting to share that you didn’t need to allow anonymous access to all the named pipes detailed in the article above, if you need to make this work, you can now do it with as little risk as possible.

No comments: