Solved

MBSA

Posted on 2011-02-21
29
1,674 Views
Last Modified: 2012-05-11
Would anyone be willing to run MBSA (microsoft baseline security analyzer) against one of your domain controllers, and let me know if the password expiration test it does flags up disabled accounts as having accounts that never expire?

Also, where in ADUC can you view all users in a domain and their accoutn status, i.e. active, expired, disabled etc?
0
Comment
Question by:pma111
  • 13
  • 8
  • 6
  • +1
29 Comments
 
LVL 7

Assisted Solution

by:OxygenITSolutions
OxygenITSolutions earned 25 total points
ID: 34941192
Do a google search for MBSA and go to images. Might find what you're looking for.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941205
I would much rather someone ran it on a domain controller to verify my suspicion, rather than looking at pictures of an MBSA report on Google images.
0
 
LVL 7

Assisted Solution

by:oriziv
oriziv earned 25 total points
ID: 34941229
I'm not sure what you're asking for.
MBSA doesn't alert when disabled user's password expires.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941265
I am asking does MBSA only report on active/live accounts.

For example if you run it against a domain cotnroller, in the password expiration test, it is flagging up some user accounts have passwords that never expire - but they seem to be of accounts which are disabled.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941284
Bad wording on the question, it should read:

Would anyone be willing to run MBSA (microsoft baseline security analyzer) against one of your domain controllers, and let me know if the password expiration test it does flags up disabled accounts as having PASSWORDS that never expire?
0
 
LVL 7

Expert Comment

by:OxygenITSolutions
ID: 34941525
I created an account with a non-expiring password and disabled it. It showed up in the MBSA scan as having a non expiring password.

You can right click on Saved Queries and create a new query. Few options in there to view various criteria.

Good Luck
0
 
LVL 3

Author Comment

by:pma111
ID: 34941550
I was more after, if you set up an account without a non expiring password (i.e. one that is subject to default domain policy around complexity, lockout, expirty etc), then disable it, does it still show up as having a non expiring password? Or does it not appear in the MBSA report for the domain controller?

0
 
LVL 7

Expert Comment

by:OxygenITSolutions
ID: 34941574
Account mentioned above had the non expiring removed. Re ran the scan. Account is disabled but DID not appear in the scan.
0
 
LVL 7

Expert Comment

by:oriziv
ID: 34941580
MBSA scans and alerts for disabled users.
According to Microsoft, disabled user's might become security issues if enabled and therefore must be handled just like active users.
0
 
LVL 7

Expert Comment

by:OxygenITSolutions
ID: 34941600
On a final note, the only account that showed as disabled was the Guest account. The Guest account has it's own section in the scan.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941612
Thats weird.

I have accounts showing up in the MBSA report for domain controller that are disabled but before they were disabled were subject to domain policy which includes password expiry, now they are disabled they appear in the accounts that have passwords that dont expire finding.

Its almost as if any account you diable MBSA then treats it that because it is disabled it doesnt have password expiry setting as it is disabled?
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941651
An expired account/locked out isnt the same as disabled.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941658
megaman can you explain the difference?

what would an account be for a user that has left employment, would that be a locked out acct?
0
 
LVL 5

Accepted Solution

by:
megaman5 earned 75 total points
ID: 34941676
Users who have left employment are usually disabled, by right clicking on the user object and disabling it.  If I read everything correctly, MBSA is flagging these accounts because 'they have passwords set to not expire?'  Can you check these accounts in DSA.MSC and see if they have the flag checked 'Password never expires'?  Does the person who disables accounts set this flag when they disable accounts?
0
 
LVL 3

Author Comment

by:pma111
ID: 34941687
>>Does the person who disables accounts set this flag when they disable accounts?

Is that common practice, why would they do that?

>>Can you check these accounts in DSA.MSC and see if they have the flag checked 'Password never expires'?

I am not sure I have dsa.msc, can this check be done in aduc?
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941688
Disabled accounts are administratively disabled.
Locked out accounts have had too many attempts on their password.
Expired accounts are when the password is too old.

When you set the 'password must be changed on next logon' flag, the system sets expiration to now.

When you select the 'Password never expires' flag, the system ignores the expiration date and MBSA will flag this.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941697
what is an expired/locked out account, when does an account expire? Is that when you purposelly say this account is only active for 60 days? Or is it when a user doesnt change their password after x amount of warnings?
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941699
Yes, Active Directory Users and Computers is DSA.MSC.  Some companies will set this flag for various reasons.  Some set a standard 'terminated employee' password and set it not to expire.
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941706
No, account expiration is simply X days since last password change (X is usually 60 or 90 depending on domain policy)
0
 
LVL 7

Expert Comment

by:OxygenITSolutions
ID: 34941721
Your request was to run the MBSA and tell if accounts that are disabled with non expiring passwords are flagged. This was done.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941731
>.Yes, Active Directory Users and Computers is DSA.MSC.  Some companies will set this flag for various reasons.  Some set a standard 'terminated employee' password and set it not to expire.

Can you provide some reasons? Yes the flag is checked for a sample of the accounts I looked at...

If say a disabled user became undisabled, would it then be an account with no password expiry? So it is potentially a security issue? Or when you re-enable would the admin have to manually uncheck the password doesnt expire flag?

0
 
LVL 3

Author Comment

by:pma111
ID: 34941740
OxygenITSolutions: -  yes it was, but the issue has developed, I am very sorry if this offends you but while I have megamans attention he has brought an issue/reason to my attention that I wasnt aware of so I thought I'd query further...
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941754
If you were to enable that account, yes, its password would not expire.  I would never set that flag on an account, you can change the password at any time if you need the account.
0
 
LVL 3

Author Comment

by:pma111
ID: 34941758
>>Some companies will set this flag for various reasons

Could you give me a few?
0
 
LVL 3

Author Comment

by:pma111
ID: 34941762
... in the context of an ex employee account?
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941775
Either to keep the employees last password from expiring, or to set some standard terminated employee password?  I cant think of a good reason, both of these are amateur at best, and not best practice.  IMO, if you have a terminated employee, do not set the 'password never expires' flag...
0
 
LVL 3

Author Comment

by:pma111
ID: 34941791
>>or to set some standard terminated employee password

From a ad point of view, why would an admin do this? What benefits/ease of administration does it bring?
0
 
LVL 5

Expert Comment

by:megaman5
ID: 34941804
Simplicity?  If they ever needed to logon to that account, it would save them the step of resetting the password...
0
 
LVL 7

Expert Comment

by:OxygenITSolutions
ID: 34941857
You need to review the points allocation here.
0

Join & Write a Comment

As network administrators; we know how hard it is to track user’s login/logout using security event log (BTW it is harder now in windows 2008 because user name is always “N/A” in the grid), and most of us either get 3rd party tools, or just make our…
Disabling the Directory Sync Service Account in Office 365 will stop directory synchronization from working.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles from a Windows Server 2008 domain controller to a Windows Server 2012 domain controlle…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

12 Experts available now in Live!

Get 1:1 Help Now