Keywords: VanguardLH,VLH

T <T@invalid.invalid> wrote:

W10-pro 22H2

I have a customer with two machines. Both have the
same issue

If you goof the first attempt to logon, your account gets
locked out for five minutes.

Password and attempts is set as follows:

<win><r> secpol.msc

--> Security Settings (very top of the left pane)
--> Account Policies (left pane)
--> Account Lockout Policy (left pane)
--> Adjust the following (you have to set the threshold first):
x Account lockout threshold (middle one) (10)
x Account lockout duration (5)
x Reset account lockout counter after (5) https://imgur.com/JBWWAuw.png

The normal way to unlock an account before the wait period
expires is
--> logon as Administrator
--> <win><R> lusrmgr.msc
--> users
--> select user
--> uncheck "Account is disabled"

Problem: the account is not disabled (lusrmgr.msc): https://imgur.com/2rxTBQo.png

So, is your question how to disable the lockout interval timeout
(duration) to just use the max attempt count (threshold)?

Or do you still want a 5-minute lockout interval, and always use an
admin account to unlock the lockout? By the time you get to the
workstation, login under an admin account, and navigate into policies to
unlock an account, you might've just waited the 5-minute login interval.

I would expect a lockout interval does NOT mean the account is disabled,
just the login gets stalled for that interval. Keep a login fail count (lockout threshold), but I'd probably up that from 10 to 30 for
uber-boobs using the workstation.

The lockout threshold (now at 10) cues it takes that many logins to fail
before a lockout. You sure your customer is telling the truth that just
1 failed login is locking up the login screen? Customers sometimes lie
to save face.

I had my dad with his SOHO office tell me that he didn't install any
software since I last worked on his company computer. I'd find and show several programs he installed since then. He said he figured those
didn't count. Uh huh. And it was one of those insignificant installs
that fucked his computer.

Alternatively, and if the image you showed is not of the customer's
computer, a lockout duration of 0 (zero) means the account gets locked
(not disabled). An admin then needs to unlock the account. The
duration should be 1, or higher (measured in minutes). Once the
threshold is exceeded, the account is locked for the interval set in
duration, but a value of 0 means immediate lockout on a failed login.
Some companies set the duration to 1440 minutes (24 hours), but the
threshold of 5 means the authorized user could end up locked out for a
day in just 5 failed logins. A duration of just 5 minues is way too
short as a brute-force attacker can begin again in a very short time to
hack into an account.

Disabled and locked out are not the same regarding account status. Your
image at https://i.imgur.com/2rxTBQo.png shows the "Account is disabled"
option is disabled, so that account is /not/ disabled. Your image also
shows "Account is locked out" is grayed out, so the account is not
locked out, either. When you saved that image (after logging under a
different admin-level Windows account and using lusmgr), had the
duration already expired, so it was no longer locked out by the time you
got around to looking at that account?

https://www.tenforums.com/tutorials/87665-unlock-local-account-windows-10-a.html
"If Account is locked out is grayed out and unchecked, then the account
is not locked out."

Since these login security measures are policies, and since a PDC can
push policies onto a workstation, you didn't mention if the user is
logging on using a local account, or an account in a domain. No matter
what you set for policy, a workstation logging into a PDC will get those policies pushed onto their host. The only way I know of around this is
to get the IT folks to give you the admin account login credentials to
define a script for the Logon event that rewrites the registry settings
for the policies. IT was pushing a short screen saver timeout that we
needed disabled for a kiosk workstation in our Alpha Lab. Once I
explained why we need that host (in a locked lab) to NOT allow the password-protected screen saver, they gave me the admin account (the one
from the PDC, not a local admin account) to write a Logon script to use
reg.exe to undo some of the corporate policies. They had no way to differentiate which policies were pushed onto which workstations, like excluding our kiosk host from their policies. Not a problem for hosts
in our Lab that were on a different network segment where domain logins
weren't used, but the kiosk host was outside our Lab's network, subject
to corporate policies pushed via PDC, but in a locked office.

Unlock account in a PDC setup:
https://www.youtube.com/watch?v=O8KWgt4oHRM

--- MBSE BBS v1.0.8.4 (Linux-x86_64)
* Origin: Usenet Elder (3:633/280.2@fidonet)

Keywords: VanguardLH,VLH

T <T@invalid.invalid> wrote:

One of my major complains about Windows 10+ is the "one off"
problems, where only one computer in the entire world
has a particular issue. I wonder if I have come across
my first "two off" problem.

The Home editions are betaware. Microsoft stopped maintaining labs with
tons of scenarios to try testing the most common user setups, about the
time they fired a ton of programmers. Microsoft uses Home users as
though they were beta testers.

--- MBSE BBS v1.0.8.4 (Linux-x86_64)
* Origin: Usenet Elder (3:633/280.2@fidonet)

Keywords: VanguardLH,VLH

Wang Yu <T@invalid.invalid> wrote:

Path: ...!paganini.bofh.team!not-for-mail
User-Agent: Eternal September v2024

No such client. Poster lied.

Content-Language: cn

Why specify Chinese when the content is ASCII?

Chinese made battery powered vibrators are getting better.

....

Lorem ipsum dolor sit amet, consectetur adipiscing elit. Proin mollis

<data block attempting to avoid anti-spam filters using a hash>


An example why free access (no account registration) is a bad idea at
BOFH Pagainini. No way to use Paganini's headers to determine if a
poster used free access (unregistered) or an account there (registered).
Google Groupers are migrating to Paganini, including trolls, peuriles, malcontents, nymshifters, and uber-boobs. A lot of trash would be
avoided if Paganini dropped their free (unregistered) access to require
account login (registered). There's no privacy issue when registering
for an account, just something to lose by violating their TOS.

No idea if the posting-account="9dIQLXBM7WM9KzA+yjdR4A" string arg in Paganini's Injection-Info header identifies free access, or the actual
account through which a post got submitted. For all the Paganini
submissions that I've found, they all have:

Injection-Info: ...; posting-account="9dIQLXBM7WM9KzA+yjdR4A";

So, that won't help to differentiate between freeloaders using free
access to Paganini, and those using account to login.

--- MBSE BBS v1.0.8.4 (Linux-x86_64)
* Origin: Usenet Elder (3:633/280.2@fidonet)

On 2024-04-23 11:02, T wrote:

On 4/19/24 19:00, T wrote:

Hi All,

W10-pro 22H2

I have a customer with two machines.ÿ Both have the
same issue

If you goof the first attempt to logon, your account gets
locked out for five minutes.

....

Any Words of Wisdom?
-T

Figured it out.

Everything was working as it was suppose to.ÿ The
reason why the account kept getting locked out was
due to a "Brute Force RDP attack".ÿ The attacker
kept running up the failed log in attempts in
rapid succession.

Gosh :-(

Fortunately, the security provisions I
had put in place held.

Now that I know what was causing the issue, I
blocked the attackers multiple IP addresses
at the network firewall.

<editorial comment> OH HOLY [expletive deleted] !!!! </editorial comment>

Thank you all for the help and tips!

Expletive indeed.

--
Cheers, Carlos.


--- MBSE BBS v1.0.8.4 (Linux-x86_64)
* Origin: ---:- FTN<->UseNet Gate -:--- (3:633/280.2@fidonet)

Keywords: VanguardLH,VLH

T <T@invalid.invalid> wrote:

On 4/19/24 19:00, T wrote:

Hi All,

W10-pro 22H2

I have a customer with two machines.ÿ Both have the
same issue

If you goof the first attempt to logon, your account gets
locked out for five minutes.

Password and attempts is set as follows:

<win><r> secpol.msc

ÿ --> Security Settings (very top of the left pane)
ÿÿÿ --> Account Policies (left pane)
ÿÿÿÿÿ --> Account Lockout Policy (left pane)
ÿÿÿÿÿÿÿ --> Adjust the following (you have to set the threshold first):
ÿÿÿÿÿÿÿÿÿÿÿÿ xÿ Account lockout thresholdÿ (middle one)ÿÿ (10)
ÿÿÿÿÿÿÿÿÿÿÿÿ xÿ Account lockout durationÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ (5)
ÿÿÿÿÿÿÿÿÿÿÿÿ xÿ Reset account lockout counter afterÿÿÿÿÿÿÿ (5)
https://imgur.com/JBWWAuw.png

The normal way to unlock an account before the wait period
expires is
ÿÿÿ --> logon as Administrator
ÿÿÿÿÿ --> <win><R> lusrmgr.msc
ÿÿÿÿÿÿÿ --> users
ÿÿÿÿÿÿÿÿÿ --> select user
ÿÿÿÿÿÿÿÿÿÿÿ --> uncheck "Account is disabled"

Problem: the account is not disabled (lusrmgr.msc):
https://imgur.com/2rxTBQo.png

<editorial comment> AAAAAAHHHHHH!!!!!!</editorial comment>

Any Words of Wisdom?
-T

Figured it out.

Everything was working as it was suppose to. The
reason why the account kept getting locked out was
due to a "Brute Force RDP attack". The attacker
kept running up the failed log in attempts in
rapid succession.

Fortunately, the security provisions I
had put in place held.

Now that I know what was causing the issue, I
blocked the attackers multiple IP addresses
at the network firewall.

<editorial comment> OH HOLY [expletive deleted] !!!! </editorial comment>

Thank you all for the help and tips!

-T

Wouldn't RDP'ing from the outside to a host on the inside of a firewall
mean there was a hole punched in the firewall (a rule) to allow those externally sourced RDP requests?

https://finerdp.com/blog/how_to_enable_rdp_in_Windows_10

If an intranet host is exposed to externally-instigated connections, why
isn't this host in a DMZ?

Why was the problematic host running an RDP server? I thought this was
for a workstation since some user was on the host using it as their workstation. Now it's a server? If a server, what is a user doing
putzing around on the server host?

--- MBSE BBS v1.0.8.4 (Linux-x86_64)
* Origin: Usenet Elder (3:633/280.2@fidonet)

T wrote:

[snip]

Wouldn't RDP'ing from the outside to a host on the inside of a firewall
mean there was a hole punched in the firewall (a rule) to allow those
externally sourced RDP requests?

This is true.ÿ You have to do a port forward and allow and
unestablished connection for that port.ÿ It helps narrow
the rule down if you know from what network and mask they
are coming from, but that kills the ability to do roaming.

A much better option would be to configure the router to accept incoming
VPN connections. You will have to use a router (e.g. Draytek) that has
VPN capability. That way the remote user establishes the VPN connection
to the router using whatever mechanism is appropriate to allow roaming;
and is then able to RDP to any or all of the machines on the LAN.

When I ran a computer support business I used this mechanism to support
my customers. It is made much easier if the customers have static
public IP addresses; I also have a static IP address.

Why was the problematic host running an RDP server?

Customer needs remote access those two computers.

There is now a different way to achieve access to your files, which is
to use Microsoft OneDrive. In effect, you store all your files in the
"cloud" in the storage that M$ sells you, and these files are accessible
from anywhere that has an internet connection given that you log in with
a Microsoft Account.

If you are happy with this M$ environment it does work for the employees within a small business, who are then able to access company documents
from, for example, a customer site.

It does fail if the employee wishes to run some proprietary software for
which there are only sufficient licenses to support the two machines at
head office. In this case RDP to those machines would work better, but
of course it denies use to staff at head office for the duration of the
remote connection.

Given that you are running a business that tries to support customers,
do you think you should be better informed about how to support those customers? It worries me that you appear to be putting those customers
at risk. Clearly they don't have expert knowledge - they come to you!



--
Graham J

--- MBSE BBS v1.0.8.4 (Linux-x86_64)
* Origin: A noiseless patient Spider (3:633/280.2@fidonet)

Keywords: VanguardLH,VLH

Graham J <nobody@nowhere.co.uk> wrote:

It does fail if the employee wishes to run some proprietary software for which there are only sufficient licenses to support the two machines at
head office. In this case RDP to those machines would work better, but
of course it denies use to staff at head office for the duration of the remote connection.

We had a Windows host used as an RDP server that allowed 2 concurrent
user sessions. Alas, too many times users would leave their computers
with the RDP session left active which consumed a connection. Only took
2 users to fuck up everyone else wanting to connect. I found out there
is an admin session you can use to kill those user connects.

https://v2cloud.com/tutorials/mstsc-admin

Only took at couple complaints to the managers to get their employees to
stop abusing the RDP connections by leaving them active when they left
their computer for any reason (bathroom break, lunch, meeting, leave
work). One user just couldn't remember to logoff when he left, so we firewalled him out. Forgetfullness was not an excuse.

--- MBSE BBS v1.0.8.4 (Linux-x86_64)
* Origin: Usenet Elder (3:633/280.2@fidonet)

Char Jackson wrote:

[snip]

Why was the problematic host running an RDP server?

Customer needs remote access those two computers.

There is now a different way to achieve access to your files, which is
to use Microsoft OneDrive.

If he's supporting remote users, he'll likely need access to the PCs themselves,
not just access to a few selected files.

No, you've misunderstood. The OP (named T I think) is trying to support
his customers. So he might well need access to those PCs.

But T's customer requires remote access to files. So I presume that T's customer is a small business of some sort. The suggestion that I'm
making is that T's customer should use OneDrive thereby avoiding all the difficulties with RDP and security.

Given that you are running a business that tries to support customers,
do you think you should be better informed about how to support those
customers? It worries me that you appear to be putting those customers
at risk. Clearly they don't have expert knowledge - they come to you!

You may have to tread lightly there. I said much the same thing several years ago and he got offended.

If the OP is not prepared to listen to advice and evaluate its
credibility - entering into a dialogue where appropriate - then he's
doomed anyway. All that happens is that he gives computer support
businesses a bad name. So we have a duty to help him where we can.

But we should be polite and not insult him, I agree.


--
Graham J

--- MBSE BBS v1.0.8.4 (Linux-x86_64)
* Origin: A noiseless patient Spider (3:633/280.2@fidonet)

Keywords: VanguardLH,VLH

Graham J <nobody@nowhere.co.uk> wrote:

Char Jackson wrote:

[snip]

Why was the problematic host running an RDP server?

Customer needs remote access those two computers.

There is now a different way to achieve access to your files, which is
to use Microsoft OneDrive.

If he's supporting remote users, he'll likely need access to the PCs themselves,
not just access to a few selected files.

No, you've misunderstood. The OP (named T I think) is trying to support
his customers. So he might well need access to those PCs.

But T's customer requires remote access to files. So I presume that T's customer is a small business of some sort. The suggestion that I'm
making is that T's customer should use OneDrive thereby avoiding all the difficulties with RDP and security.

Given that you are running a business that tries to support customers,
do you think you should be better informed about how to support those
customers? It worries me that you appear to be putting those customers
at risk. Clearly they don't have expert knowledge - they come to you!

You may have to tread lightly there. I said much the same thing several years
ago and he got offended.

If the OP is not prepared to listen to advice and evaluate its
credibility - entering into a dialogue where appropriate - then he's
doomed anyway. All that happens is that he gives computer support businesses a bad name. So we have a duty to help him where we can.

But we should be polite and not insult him, I agree.

Alas, T's customers have admin privs when logged into Windows, and want
to use workstations as both end user computers and servers rather than dedicating each to a separate role. His customers can easily fuck up
their computers which T has to repair, but his customers really don't
have the expertise to be sysadmins. I'm pretty sure T does backups of
his customers' computers to give him an escape route for recovery, but
then his customers can be stingy, so he doesn't have the needed hardware resources, like more drives, an FTP server host (which is NOT used as a workstation), or some means of saving those backups out of reach of his customers.

--- MBSE BBS v1.0.8.4 (Linux-x86_64)
* Origin: Usenet Elder (3:633/280.2@fidonet)