Forcing Password Changes

Much of the email I get from readers requesting assistance falls into the "What the heck is going on?" category. Usually something is happening on their network or with their computer that has no readily ascertainable cause. One of the more interesting email messages that I received recently was from a systems administrator with whom I had been in correspondence throughout a migration from Windows 9x desktops to Windows XP. I hadn't heard from him for few months and was a little surprised to get a problem-laden message from him.

The situation was this: After a quarterly security audit, his Help desk staff started getting phone calls from users who reported problems accessing file shares and Encrypting File System (EFS)-encrypted files. After some discussion, we determined that the only thing in common among the users reporting the problems was that they were all running XP (as most of the enterprise clients now were) and that IT staffers had changed the users' passwords during the security audit.

As part of the audit process, IT staffers walked through users' cubicles and offices; if a user had passwords taped to his or her monitor or displayed in an obvious place, an IT staffer would log on as an administrator and force a password change on the user's computer. The company was taking network and data security very seriously due to some requirements on contracts the company was bidding on, and IT was actively enforcing user policies that included specific instructions to users not to leave written passwords in their offices.

When I told the systems administrator that denying access to password-protected data after a forced password change is designed behavior in XP, he was incredulous—not that users would be locked out of some data areas, but that the designed behavior appeared to be unpredictable. The forced password change hadn't affected all users equally—some users had no problems, others lost access to everything beyond their local machine, and others were reporting problems only with EFS.

I observed that he was basing his perception of inconsistent behavior on user complaints to the Help desk—users would call with the first complaint and possibly not with any others that were related to the forced password change. I also pointed out that he need not have forced password changes; IT staffers could have used the accessible passwords to log on as the users and change the passwords.

In some cases, the systems administrator was able to solve the problem by logging on and resetting the user's password to what it had been before the change, but this fix required that users remember their passwords (and if they had been able to do that, they probably wouldn't have had their passwords on sticky notes attached to their monitors). In other cases, the administrator was able to recover data in EFS-encrypted files by using the standard EFS recovery methods, which are described in detail in the Microsoft article "Methods for Recovering Encrypted Data Files" at
http://support.microsoft.com/default.aspx?id=kb;en-us;q255742.

The systems administrator has decided not to force user-password changes in this situation again, and I completely agree with him. Forcing a password change in a business environment on a computer on which you've applied reasonable security causes problems. As Microsoft points out, securing data also means securing it from easy access by rogue administrators (my words, not Microsoft's). A serious security hole would exist if changing a user's password, then reading all the user's data or using the user's credentials to access network resources were a simple matter. Complete details about XP's behavior after a forced password change, which data is affected, and the reasoning behind the behavior appear in the Microsoft article "EFS, Credentials, and Private Keys from Certificates Are Unavailable After a Password Is Reset" at
http://support.microsoft.com/default.aspx?id=kb;en-us;q290260.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish