Solved

MBSA

Posted on 2011-02-21
29
1,693 Views
Last Modified: 2012-05-11
Would anyone be willing to run MBSA (microsoft baseline security analyzer) against one of your domain controllers, and let me know if the password expiration test it does flags up disabled accounts as having accounts that never expire?

Also, where in ADUC can you view all users in a domain and their accoutn status, i.e. active, expired, disabled etc?
0
Comment
Question by:pma111
  • 13
  • 8
  • 6
  • +1
29 Comments
 
LVL 7

Assisted Solution

by:OxygenITSolutions
OxygenITSolutions earned 25 total points
ID: 34941192
Do a google search for MBSA and go to images. Might find what you're looking for.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941205
I would much rather someone ran it on a domain controller to verify my suspicion, rather than looking at pictures of an MBSA report on Google images.
0
 
LVL 7

Assisted Solution

by:oriziv
oriziv earned 25 total points
ID: 34941229
I'm not sure what you're asking for.
MBSA doesn't alert when disabled user's password expires.
0
SharePoint Admin?

Enable Your Employees To Focus On The Core With Intuitive Onscreen Guidance That is With You At The Moment of Need.

 
LVL 3

Author Comment

by:pma111
ID: 34941265
I am asking does MBSA only report on active/live accounts.

For example if you run it against a domain cotnroller, in the password expiration test, it is flagging up some user accounts have passwords that never expire - but they seem to be of accounts which are disabled.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941284
Bad wording on the question, it should read:

Would anyone be willing to run MBSA (microsoft baseline security analyzer) against one of your domain controllers, and let me know if the password expiration test it does flags up disabled accounts as having PASSWORDS that never expire?
0
 
LVL 7

Expert Comment

by:OxygenITSolutions
ID: 34941525
I created an account with a non-expiring password and disabled it. It showed up in the MBSA scan as having a non expiring password.

You can right click on Saved Queries and create a new query. Few options in there to view various criteria.

Good Luck
0
 
LVL 3

Author Comment

by:pma111
ID: 34941550
I was more after, if you set up an account without a non expiring password (i.e. one that is subject to default domain policy around complexity, lockout, expirty etc), then disable it, does it still show up as having a non expiring password? Or does it not appear in the MBSA report for the domain controller?

0
 
LVL 7

Expert Comment

by:OxygenITSolutions
ID: 34941574
Account mentioned above had the non expiring removed. Re ran the scan. Account is disabled but DID not appear in the scan.
0
 
LVL 7

Expert Comment

by:oriziv
ID: 34941580
MBSA scans and alerts for disabled users.
According to Microsoft, disabled user's might become security issues if enabled and therefore must be handled just like active users.
0
 
LVL 7

Expert Comment

by:OxygenITSolutions
ID: 34941600
On a final note, the only account that showed as disabled was the Guest account. The Guest account has it's own section in the scan.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941612
Thats weird.

I have accounts showing up in the MBSA report for domain controller that are disabled but before they were disabled were subject to domain policy which includes password expiry, now they are disabled they appear in the accounts that have passwords that dont expire finding.

Its almost as if any account you diable MBSA then treats it that because it is disabled it doesnt have password expiry setting as it is disabled?
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941651
An expired account/locked out isnt the same as disabled.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941658
megaman can you explain the difference?

what would an account be for a user that has left employment, would that be a locked out acct?
0
 
LVL 5

Accepted Solution

by:
megaman5 earned 75 total points
ID: 34941676
Users who have left employment are usually disabled, by right clicking on the user object and disabling it.  If I read everything correctly, MBSA is flagging these accounts because 'they have passwords set to not expire?'  Can you check these accounts in DSA.MSC and see if they have the flag checked 'Password never expires'?  Does the person who disables accounts set this flag when they disable accounts?
0
 
LVL 3

Author Comment

by:pma111
ID: 34941687
>>Does the person who disables accounts set this flag when they disable accounts?

Is that common practice, why would they do that?

>>Can you check these accounts in DSA.MSC and see if they have the flag checked 'Password never expires'?

I am not sure I have dsa.msc, can this check be done in aduc?
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941688
Disabled accounts are administratively disabled.
Locked out accounts have had too many attempts on their password.
Expired accounts are when the password is too old.

When you set the 'password must be changed on next logon' flag, the system sets expiration to now.

When you select the 'Password never expires' flag, the system ignores the expiration date and MBSA will flag this.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941697
what is an expired/locked out account, when does an account expire? Is that when you purposelly say this account is only active for 60 days? Or is it when a user doesnt change their password after x amount of warnings?
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941699
Yes, Active Directory Users and Computers is DSA.MSC.  Some companies will set this flag for various reasons.  Some set a standard 'terminated employee' password and set it not to expire.
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941706
No, account expiration is simply X days since last password change (X is usually 60 or 90 depending on domain policy)
0
 
LVL 7

Expert Comment

by:OxygenITSolutions
ID: 34941721
Your request was to run the MBSA and tell if accounts that are disabled with non expiring passwords are flagged. This was done.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941731
>.Yes, Active Directory Users and Computers is DSA.MSC.  Some companies will set this flag for various reasons.  Some set a standard 'terminated employee' password and set it not to expire.

Can you provide some reasons? Yes the flag is checked for a sample of the accounts I looked at...

If say a disabled user became undisabled, would it then be an account with no password expiry? So it is potentially a security issue? Or when you re-enable would the admin have to manually uncheck the password doesnt expire flag?

0
 
LVL 3

Author Comment

by:pma111
ID: 34941740
OxygenITSolutions: -  yes it was, but the issue has developed, I am very sorry if this offends you but while I have megamans attention he has brought an issue/reason to my attention that I wasnt aware of so I thought I'd query further...
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941754
If you were to enable that account, yes, its password would not expire.  I would never set that flag on an account, you can change the password at any time if you need the account.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941758
>>Some companies will set this flag for various reasons

Could you give me a few?
0
 
LVL 3

Author Comment

by:pma111
ID: 34941762
... in the context of an ex employee account?
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941775
Either to keep the employees last password from expiring, or to set some standard terminated employee password?  I cant think of a good reason, both of these are amateur at best, and not best practice.  IMO, if you have a terminated employee, do not set the 'password never expires' flag...
0
 
LVL 3

Author Comment

by:pma111
ID: 34941791
>>or to set some standard terminated employee password

From a ad point of view, why would an admin do this? What benefits/ease of administration does it bring?
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941804
Simplicity?  If they ever needed to logon to that account, it would save them the step of resetting the password...
0
 
LVL 7

Expert Comment

by:OxygenITSolutions
ID: 34941857
You need to review the points allocation here.
0

Featured Post

Free Tool: SSL Checker

Scans your site and returns information about your SSL implementation and certificate. Helpful for debugging and validating your SSL configuration.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This article describes my battle tested process for setting up delegation. I use this process anywhere that I need to setup delegation. In the article I will show how it applies to Active Directory
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

726 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question