I just want to add a user

Working on generating some virtual development environments that run local for testing and presentations, and was in need of generating some test user accounts. So off to PowerShell I went, there will be a upcoming series on this just you wait. As I started creating new users I received the message the simple couple letter passwords did not meet the complexity defined.

image

(Windows cannot set the password for <user name> because: The password does not meet the password policy requirements. Check the minimum password length, password complexity and password history requirements.)

What! This is a development environment for my own use, I’m not worried about it being secure. The following steps are what I discovered to change the password complexity. I do not to a lot of server administration, so there may be a faster and easier method out there, but this worked for me.

  1. Log onto the AD server.
  2. Go to Start –> Administrator Tools –> Group Policy Management
    image
  3. This will open the Group Policy Management console
    image
  4. Via the tree on the left navigate down to the Group Policy Objects for the domain. On the right frame right click Default Domain Policy to open the Group Policy Management Editor console.
    image
  5. Via the tree on the left navigate: Computer Configuration –> Policies –> Windows Settings –> Security Settings –> Account Settings –> Password Policy
    image
  6. The right hand frame will now display all of the possible password policy settings you can change.
    image

If you perform all of the above steps and are still receiving error messages about non-conforming passwords, the local security settings may have password policies enabled. To correct this go to Start –> Administrator Tools –> Local Security Policy.

This will open the Local Security Policy window. In the left frame, navigate the tree to Password Policy (Security Settings –> Account Policies –> Password Policy.)
image

You will see the same list of policy options as in the Group Manager Editor. Make the changes you want and you a user account will soon be yours.

Remember the more strict these policies are the safer you environment can be.

ASP.NET Security Patch

Last week I cross-posted, about a security flaw in ASP.NET which could allow an attacker to get access to files on the server.

Microsoft has announced an out-of-band patch for this on Tuesday, September 28, 2010.

Here is the blog post from the Microsoft SharePoint Team blog with details and links.

x-post from the Microsoft Security Response Center blog — The download links for the security updates are in the Security Bulletin.

As we announced yesterday, today we released Security Bulletin MS10-070 out-of-band to address a vulnerability in ASP.NET. The bulletin and the blog by Scott Guthrie, corporate vice president of Microsoft’s .NET Developer Platform are available for more information.

This security update addresses a vulnerability affecting all versions of the .NET Framework when used on Windows Server operating system. While desktop systems are listed as affected, consumers are not vulnerable unless they are running a web server from their computer.

The update will be made available initially only through the Microsoft Download Center and then released through Windows Update and Windows Server Update Services within the next few days. This allows customers the option to deploy it manually now without delaying for broader distribution.

For customers who use Automatic Updates, the update will be automatically applied once it is released broadly. Once the Security Update is applied, customers are protected against known attacks related to Security Advisory 2416728.

If you can, please join me and Dustin Childs today for a live webcast where we will cover the details of this bulletin and take customer questions live. Here is the registration information:

Date: Tuesday September 28, 2010
Time: 1:00 p.m. PDT
Click Here to Register

Thanks,
Dave Forstrom
Director, Trustworthy Computing

Big Security Hole for SharePoint Servers

You may have already read this somewhere out there, it is making the rounds across the Twitter-phere, blogs, and news. But I felt it would be important to post, or I should say re-post the issue.

Executive Summary from Vulnerability in ASP.NET Could Allow Information Disclosure (http://www.microsoft.com/technet/security/advisory/2416728.mspx)

Microsoft is investigating a new public report of a vulnerability in ASP.NET. An attacker who exploited this vulnerability could view data, such as the View State, which was encrypted by the target server, or read data from files on the target server, such as web.config. This would allow the attacker to tamper with the contents of the data. By sending back the altered contents to an affected server, the attacker could observe the error codes returned by the server. Microsoft is aware of limited, active attacks at this time. We are actively working with partners in our Microsoft Active Protections Program (MAPP) to provide information that they can use to provide broader protections to customers. Upon completion of this investigation, Microsoft will take the appropriate action to help protect our customers. This may include providing a security update through our monthly release process or providing an out-of-cycle security update, depending on customer needs.

Scott Guthrie has an excellent post up regarding this vulnerability at http://weblogs.asp.net/scottgu/archive/2010/09/18/important-asp-net-security-vulnerability.aspx. As normal, he has gone through with code snippets to explain the issue and what you can due to protect your systems.

Good luck keeping your systems safe!