Changing Passwords on the Command Line
In Mark Minasi's Windows Power Tools, "Rediscover Net User" (May 2006, InstantDoc
ID 49704), Mark states that he doesn't know of a command-line tool that would
do a password change. Let me point out that issuing the command
dsmod user /?
reveals, among other things, that you can reset a user's password with
dsmod user "CN=John Doe, CN=Users,DC=microsoft,DC=com" -pwd A1b2C3d4 -mustchpwd yes
To reset multiple user passwords to a common password and force the users to change their password the next time they log on, type in
dsmod user "CN=John Doe, CN=Users,DC=microsoft,DC=com" "CN=Jane Doe,CN=Users, DC=microsoft, DC=com" -pwd A1b2C3df -mustchpwd yes
You can locate the distinguishedName property and pipe it into dsmod user with dsquery user by typing
dsquery user -name "John Doe" | dsmod user -pwd A1b2C3d4 -mustchpwd yes
-Gary MacDonald
Unique Security Features Not So Unique
In Paul Thurrott's article "What You Need to Know About . . . Windows Vista
x64 Versions' Unique Security Features" (August 2006, InstantDoc ID 50522),
one of the feature's Paul mentions isn't unique to the 64-bit version of Vista
and two aren't unique to Vista in general. Specifically, Address Space Layout
Randomization (ASLR) is also present on 32-bit Vista. For more information,
see Michael Howard's Web Log at http://blogs.msdn.com/Michael_howard/archive/2006/05/26/608315.aspx.
Hardware data execution prevention (DEP) is also supported both on 32-bit and
64-bit Windows XP systems that have no-execute memory management support in
the hardware and was first introduced in XP SP2. For more information, see the
Microsoft article about DEP at http://support.microsoft.com/kb/875352.
PatchGuard was introduced in Windows XP and Windows Server 2003 SP1 for x64
systems. For more information, see "Patching Policy for x64-Based Systems,"
at http://www.microsoft.com/whdc/driver/kernel/64bitpatching.mspx.
In addition, the inclusion of digital signing for all kernel-mode code on Vista
isn't for reliability but to require accountability for powerful, system-trusted
code. No reliability test or oversight is required to sign a driver for 64-bit
Vista; you simply need to obtain a signing certificate from one of several certificate
authorities (see "Digital Signatures for Kernel Modules on x-64 Based Systems
Running Windows Vista at http://www.microsoft.com/whdc/system/platform/-64bit/kmsigning.mspx
for more information). The belief is that malware authors won't be able or willing
to obtain signatures, and if they do, their code will be traceable.
-Mark Russinovich
Windows Live OneCare Antispyware?
In his article "Top 10: Windows Live OneCare" (June 2006, InstantDoc ID 50007),
Michael Otey states that Windows Live OneCare doesn't include antispyware protection.
I checked the link that Michael provides, http://www.windows
onecare.com, and discovered that Microsoft is passing off OneCare as containing
antispyware protection. That information is deceiving because if you read further
on the Microsoft site, the statement is made that OneCare integrates Windows
Defender. You have to read the fine print. Thank you for Michael's review of
OneCare. It is helpful.
-Karl Swenson