Solved: Accounts created with Unity 2.4.X can have zero password length

pmaglinger · ‎03-20-2006

We believe that we have found something odd about accounts that were created when we were running Unity 2.4.X (we are running 4.0.(3) now). It seems that accounts that were created using 2.4.X do not obey the Windows global password policies that we have in place as far as zero password length. The Example Subscriber, Example Administrator, and an additional account that was created that way can all choose to have a zero Windows password length (blank password). I cannot find a way to correct this. Can someone provide a solution?

lindborg · ‎03-21-2006

Example Subscriber can be deleted without worry - not sure what the deal is with 4number there... not our deal.

I'd leave the example admin accounts alone - they can be removed but you do risk some issues - why not just apply a PW or, better, disable the accounts? This leaves them around just in case yet removes any possibility of a security issue with them.

If you really want to delete the EAdmin account, I'd do it through a recent version of Global Subscriber Manager - it'll help patch up references to it automatically when you delete it that way. Just make sure you have a valid subscriber in the unaddressed messages DL - this is often overlooked by folks in the field.

View solution in original post

lindborg · ‎03-20-2006

Not entirely sure what you're asking for here. You have a 2.x system that has 3 accounts that have 0 length NT passwords? Can't you just set passwords on them in the NT administrator? I'm not real sure what you're trying to do...

pmaglinger · ‎03-21-2006

Three accounts were created when we had Unity 2.X: Example Administrator, Example Subscriber, and 4numbers. These are the only 3 accounts in our domain that are capable of having a blank Windows password in defiance to our domain policy. The point of our auditors is that somebody could set the account to have a blank password and thereby create a security risk. I can't understand how these accounts can bypass the security policy. The properties in ADUC for these accounts look okay.

lindborg · ‎03-21-2006

With the info in front of me I can't really speculate. I'm guessing that when you had 2.x installed it was with NT and Ex55 and these accounts flew under the radar after upgrading along the way and the auditors are not checking them. Unity isn't doing anything tricky here to somehow thwart your security - we ask NT/AD to create an account and pass the info in - if you try to have Unity create accounts with blank domain PWs or PWs which don't match your minimum hardening rules, AD will kick back and error and the user is not created - Unity has no way of "back dooring" an account or the like - we do it all on the up and up (we don't really have a choice). Once an account is created we cannot update their domain PWs at all - we can only change the first/last/display names and custom properties we extend the directory with - we don't touch anything else.

pmaglinger · ‎03-21-2006

Again, thanks for the reply.

What are the repercussions of deleting and recreating the accounts. I'm not worried so much about the 4number, but what about ExampleSubscriber, ExampleAdministrator, and there is a EAdmin308b56bf account that seems to have been created when we upgraded to our new 4.0.(3) server? I read somewhere that ExampleAdministrator is used by Unity as owner for accounts have that no owner. Would I recreate the account and use DBWalker to use the new account (or possibly use EAdmin308b56bf) as the default owner.

pmaglinger · ‎03-21-2006

Again, thanks for the reply.

What are the repercussions of deleting and recreating the accounts. I'm not worried so much about the 4number, but what about ExampleSubscriber, ExampleAdministrator, and there is a EAdmin308b56bf account that seems to have been created when we upgraded to our new 4.0.(3) server? I read somewhere that ExampleAdministrator is used by Unity as owner for accounts have that no owner. Would I recreate the account and use DBWalker to use the new account (or possibly use EAdmin308b56bf) as the default owner.

lindborg · ‎03-21-2006

Example Subscriber can be deleted without worry - not sure what the deal is with 4number there... not our deal.

I'd leave the example admin accounts alone - they can be removed but you do risk some issues - why not just apply a PW or, better, disable the accounts? This leaves them around just in case yet removes any possibility of a security issue with them.

If you really want to delete the EAdmin account, I'd do it through a recent version of Global Subscriber Manager - it'll help patch up references to it automatically when you delete it that way. Just make sure you have a valid subscriber in the unaddressed messages DL - this is often overlooked by folks in the field.

pmaglinger · ‎03-22-2006

4numbers was one we created via Unity. We had the accounts disabled, but the auditor was still griping about the blank password potential (I know... I know... but I still had to check it out). I appreciate your time and by the way, getting ready to upgrade to 4.2 and from what I read it looks good. Keep up the good work.