Re: Error 1721, weak password

[PA Bear [MS MVP]]

[[Forwarded to MBSA- and Windows Server-specific newsgroups via crosspost.]]

Shawn Martin wrote:
> I keep getting Error 1721 for local accounts I have on 2008 server
> (64-bit).
> I'm running the MBSA under a domain account that is an administrator of
> the
> server.
>
> The local account that keeps getting flagged by MBSA has a password of
> Wh$v9Jx^=b
>
> so I have no clue as to why it thinks that is a weak password. Any
> suggestions?

 

[Andrew Morton]

PA Bear [MS MVP] wrote:
> [[Forwarded to MBSA- and Windows Server-specific newsgroups via
> crosspost.]]
> Shawn Martin wrote:
>> I keep getting Error 1721 for local accounts I have on 2008 server
>> (64-bit).
>> I'm running the MBSA under a domain account that is an administrator
>> of the
>> server.
>>
>> The local account that keeps getting flagged by MBSA has a password
>> of Wh$v9Jx^=b
>>
>> so I have no clue as to why it thinks that is a weak password. Any
>> suggestions?

Too short?

Andrew

 

[Shawn Martin]

The policy is set for an 8 character minimum.

"Andrew Morton" wrote:

> PA Bear [MS MVP] wrote:
> > [[Forwarded to MBSA- and Windows Server-specific newsgroups via
> > crosspost.]]
> > Shawn Martin wrote:
> >> I keep getting Error 1721 for local accounts I have on 2008 server
> >> (64-bit).
> >> I'm running the MBSA under a domain account that is an administrator
> >> of the
> >> server.
> >>
> >> The local account that keeps getting flagged by MBSA has a password
> >> of Wh$v9Jx^=b
> >>
> >> so I have no clue as to why it thinks that is a weak password. Any
> >> suggestions?
>
> Too short?
>
> Andrew
>
>
>

 

[FromTheRafters]

It says it is strong here:

http://www.microsoft.com/protect/yourself/...rd/checker.mspx

"Shawn Martin" wrote in message
news:32E850DF-F6A2-4A9C-AB79-A131A823F997@microsoft.com...
> The policy is set for an 8 character minimum.
>
> "Andrew Morton" wrote:
>
>> PA Bear [MS MVP] wrote:
>> > [[Forwarded to MBSA- and Windows Server-specific newsgroups via
>> > crosspost.]]
>> > Shawn Martin wrote:
>> >> I keep getting Error 1721 for local accounts I have on 2008 server
>> >> (64-bit).
>> >> I'm running the MBSA under a domain account that is an
>> >> administrator
>> >> of the
>> >> server.
>> >>
>> >> The local account that keeps getting flagged by MBSA has a
>> >> password
>> >> of Wh$v9Jx^=b
>> >>
>> >> so I have no clue as to why it thinks that is a weak password. Any
>> >> suggestions?
>>
>> Too short?
>>
>> Andrew
>>
>>
>>

 

[Shawn Martin]

Thanks. I'm not too concerned with the password, as I know it is relatively
strong. What I'm trying to diagnose, is why MBSA is giving the error, and how
I can correct it?

"FromTheRafters" wrote:

> It says it is strong here:
>
> http://www.microsoft.com/protect/yourself/...rd/checker.mspx
>
> "Shawn Martin" wrote in message
> news:32E850DF-F6A2-4A9C-AB79-A131A823F997@microsoft.com...
> > The policy is set for an 8 character minimum.
> >
> > "Andrew Morton" wrote:
> >
> >> PA Bear [MS MVP] wrote:
> >> > [[Forwarded to MBSA- and Windows Server-specific newsgroups via
> >> > crosspost.]]
> >> > Shawn Martin wrote:
> >> >> I keep getting Error 1721 for local accounts I have on 2008 server
> >> >> (64-bit).
> >> >> I'm running the MBSA under a domain account that is an
> >> >> administrator
> >> >> of the
> >> >> server.
> >> >>
> >> >> The local account that keeps getting flagged by MBSA has a
> >> >> password
> >> >> of Wh$v9Jx^=b
> >> >>
> >> >> so I have no clue as to why it thinks that is a weak password. Any
> >> >> suggestions?
> >>
> >> Too short?
> >>
> >> Andrew
> >>
> >>
> >>
>
>
>

 

[FromTheRafters]

All of your "special characters" are from the same row. Only one number
appears. It is still too short.

Maybe a simple change like adding an additional number or special
character will suffice?

"Shawn Martin" wrote in message
news:1A4DD217-6FB6-4622-978C-58216D1B894D@microsoft.com...
> Thanks. I'm not too concerned with the password, as I know it is
> relatively
> strong. What I'm trying to diagnose, is why MBSA is giving the error,
> and how
> I can correct it?
>
> "FromTheRafters" wrote:
>
>> It says it is strong here:
>>
>> http://www.microsoft.com/protect/yourself/...rd/checker.mspx
>>
>> "Shawn Martin" wrote in
>> message
>> news:32E850DF-F6A2-4A9C-AB79-A131A823F997@microsoft.com...
>> > The policy is set for an 8 character minimum.
>> >
>> > "Andrew Morton" wrote:
>> >
>> >> PA Bear [MS MVP] wrote:
>> >> > [[Forwarded to MBSA- and Windows Server-specific newsgroups via
>> >> > crosspost.]]
>> >> > Shawn Martin wrote:
>> >> >> I keep getting Error 1721 for local accounts I have on 2008
>> >> >> server
>> >> >> (64-bit).
>> >> >> I'm running the MBSA under a domain account that is an
>> >> >> administrator
>> >> >> of the
>> >> >> server.
>> >> >>
>> >> >> The local account that keeps getting flagged by MBSA has a
>> >> >> password
>> >> >> of Wh$v9Jx^=b
>> >> >>
>> >> >> so I have no clue as to why it thinks that is a weak password.
>> >> >> Any
>> >> >> suggestions?
>> >>
>> >> Too short?
>> >>
>> >> Andrew
>> >>
>> >>
>> >>
>>
>>
>>

 

[Shawn Martin]

Changed the password to: Wh$v9Jx^=b1? and MBSA is still reporting Error 1721,
Weak Password for that account.

"FromTheRafters" wrote:

> All of your "special characters" are from the same row. Only one number
> appears. It is still too short.
>
> Maybe a simple change like adding an additional number or special
> character will suffice?
>
> "Shawn Martin" wrote in message
> news:1A4DD217-6FB6-4622-978C-58216D1B894D@microsoft.com...
> > Thanks. I'm not too concerned with the password, as I know it is
> > relatively
> > strong. What I'm trying to diagnose, is why MBSA is giving the error,
> > and how
> > I can correct it?
> >
> > "FromTheRafters" wrote:
> >
> >> It says it is strong here:
> >>
> >> http://www.microsoft.com/protect/yourself/...rd/checker.mspx
> >>
> >> "Shawn Martin" wrote in
> >> message
> >> news:32E850DF-F6A2-4A9C-AB79-A131A823F997@microsoft.com...
> >> > The policy is set for an 8 character minimum.
> >> >
> >> > "Andrew Morton" wrote:
> >> >
> >> >> PA Bear [MS MVP] wrote:
> >> >> > [[Forwarded to MBSA- and Windows Server-specific newsgroups via
> >> >> > crosspost.]]
> >> >> > Shawn Martin wrote:
> >> >> >> I keep getting Error 1721 for local accounts I have on 2008
> >> >> >> server
> >> >> >> (64-bit).
> >> >> >> I'm running the MBSA under a domain account that is an
> >> >> >> administrator
> >> >> >> of the
> >> >> >> server.
> >> >> >>
> >> >> >> The local account that keeps getting flagged by MBSA has a
> >> >> >> password
> >> >> >> of Wh$v9Jx^=b
> >> >> >>
> >> >> >> so I have no clue as to why it thinks that is a weak password.
> >> >> >> Any
> >> >> >> suggestions?
> >> >>
> >> >> Too short?
> >> >>
> >> >> Andrew
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

 

[FromTheRafters]

Maybe MBSA is corrupted. try a fresh copy.

"Shawn Martin" wrote in message
news:541627D3-B37E-4298-9FD9-2353B42E8656@microsoft.com...
> Changed the password to: Wh$v9Jx^=b1? and MBSA is still reporting
> Error 1721,
> Weak Password for that account.
>
> "FromTheRafters" wrote:
>
>> All of your "special characters" are from the same row. Only one
>> number
>> appears. It is still too short.
>>
>> Maybe a simple change like adding an additional number or special
>> character will suffice?
>>
>> "Shawn Martin" wrote in
>> message
>> news:1A4DD217-6FB6-4622-978C-58216D1B894D@microsoft.com...
>> > Thanks. I'm not too concerned with the password, as I know it is
>> > relatively
>> > strong. What I'm trying to diagnose, is why MBSA is giving the
>> > error,
>> > and how
>> > I can correct it?
>> >
>> > "FromTheRafters" wrote:
>> >
>> >> It says it is strong here:
>> >>
>> >> http://www.microsoft.com/protect/yourself/...rd/checker.mspx
>> >>
>> >> "Shawn Martin" wrote in
>> >> message
>> >> news:32E850DF-F6A2-4A9C-AB79-A131A823F997@microsoft.com...
>> >> > The policy is set for an 8 character minimum.
>> >> >
>> >> > "Andrew Morton" wrote:
>> >> >
>> >> >> PA Bear [MS MVP] wrote:
>> >> >> > [[Forwarded to MBSA- and Windows Server-specific newsgroups
>> >> >> > via
>> >> >> > crosspost.]]
>> >> >> > Shawn Martin wrote:
>> >> >> >> I keep getting Error 1721 for local accounts I have on 2008
>> >> >> >> server
>> >> >> >> (64-bit).
>> >> >> >> I'm running the MBSA under a domain account that is an
>> >> >> >> administrator
>> >> >> >> of the
>> >> >> >> server.
>> >> >> >>
>> >> >> >> The local account that keeps getting flagged by MBSA has a
>> >> >> >> password
>> >> >> >> of Wh$v9Jx^=b
>> >> >> >>
>> >> >> >> so I have no clue as to why it thinks that is a weak
>> >> >> >> password.
>> >> >> >> Any
>> >> >> >> suggestions?
>> >> >>
>> >> >> Too short?
>> >> >>
>> >> >> Andrew
>> >> >>
>> >> >>
>> >> >>
>> >>
>> >>
>> >>
>>
>>
>>

 

[Shawn Martin]

Happening on multiple servers.

"FromTheRafters" wrote:

> Maybe MBSA is corrupted. try a fresh copy.
>
> "Shawn Martin" wrote in message
> news:541627D3-B37E-4298-9FD9-2353B42E8656@microsoft.com...
> > Changed the password to: Wh$v9Jx^=b1? and MBSA is still reporting
> > Error 1721,
> > Weak Password for that account.
> >
> > "FromTheRafters" wrote:
> >
> >> All of your "special characters" are from the same row. Only one
> >> number
> >> appears. It is still too short.
> >>
> >> Maybe a simple change like adding an additional number or special
> >> character will suffice?
> >>
> >> "Shawn Martin" wrote in
> >> message
> >> news:1A4DD217-6FB6-4622-978C-58216D1B894D@microsoft.com...
> >> > Thanks. I'm not too concerned with the password, as I know it is
> >> > relatively
> >> > strong. What I'm trying to diagnose, is why MBSA is giving the
> >> > error,
> >> > and how
> >> > I can correct it?
> >> >
> >> > "FromTheRafters" wrote:
> >> >
> >> >> It says it is strong here:
> >> >>
> >> >> http://www.microsoft.com/protect/yourself/...rd/checker.mspx
> >> >>
> >> >> "Shawn Martin" wrote in
> >> >> message
> >> >> news:32E850DF-F6A2-4A9C-AB79-A131A823F997@microsoft.com...
> >> >> > The policy is set for an 8 character minimum.
> >> >> >
> >> >> > "Andrew Morton" wrote:
> >> >> >
> >> >> >> PA Bear [MS MVP] wrote:
> >> >> >> > [[Forwarded to MBSA- and Windows Server-specific newsgroups
> >> >> >> > via
> >> >> >> > crosspost.]]
> >> >> >> > Shawn Martin wrote:
> >> >> >> >> I keep getting Error 1721 for local accounts I have on 2008
> >> >> >> >> server
> >> >> >> >> (64-bit).
> >> >> >> >> I'm running the MBSA under a domain account that is an
> >> >> >> >> administrator
> >> >> >> >> of the
> >> >> >> >> server.
> >> >> >> >>
> >> >> >> >> The local account that keeps getting flagged by MBSA has a
> >> >> >> >> password
> >> >> >> >> of Wh$v9Jx^=b
> >> >> >> >>
> >> >> >> >> so I have no clue as to why it thinks that is a weak
> >> >> >> >> password.
> >> >> >> >> Any
> >> >> >> >> suggestions?
> >> >> >>
> >> >> >> Too short?
> >> >> >>
> >> >> >> Andrew
> >> >> >>
> >> >> >>
> >> >> >>
> >> >>
> >> >>
> >> >>
> >>
> >>
> >>
>
>
>

 

[1PW]

Shawn Martin wrote:
> Happening on multiple servers.

If MBSA, and/or its dependencies, had been loaded into all local
servers from the same local and corrupted source, that could be the
answer.

Warm regards and good luck,

Pete
--
1PW @?6A62?FEH9E=6o2@=]4@> [r4o7t]

 

[Shawn Martin]

MBSA was downloaded and installed directly from the Microsoft Download Center
onto each server, on separate days. The download was a direct download that
didn't go through a proxy server and anti-virus was disabled on the servers
when installing.

Any other suggestions?

"1PW" wrote:

> Shawn Martin wrote:
> > Happening on multiple servers.
>
> If MBSA, and/or its dependencies, had been loaded into all local
> servers from the same local and corrupted source, that could be the
> answer.
>
> Warm regards and good luck,
>
> Pete
> --
> 1PW @?6A62?FEH9E=6o2@=]4@> [r4o7t]
>

 

[FromTheRafters]

"Shawn Martin" wrote in message
news:69F55844-E506-49D4-9B13-19813E7DB59C@microsoft.com...
> MBSA was downloaded and installed directly from the Microsoft Download
> Center
> onto each server, on separate days. The download was a direct download
> that
> didn't go through a proxy server and anti-virus was disabled on the
> servers
> when installing.
>
> Any other suggestions?

Sorry, fresh out.

There may be some additional clues here, but I can't say for sure.

http://technet.microsoft.com/en-us/library/cc875814.aspx

 

[1PW]

Shawn Martin wrote:
> MBSA was downloaded and installed directly from the Microsoft Download Center
> onto each server, on separate days. The download was a direct download that
> didn't go through a proxy server and anti-virus was disabled on the servers
> when installing.
>
> Any other suggestions?

Hello Shawn:

Do you ever remember this MBSA 2.1 version working OK in your shop?

If so, I'm wondering if a subsequent MS update has broken something?

Do you regularly run MBSA on a scheduled basis, or is it run on
special occasions?

Although "FTR" suggests a linkage to password strength, I'm guessing a
zero-length password is being mistakenly passed to MBSA for
evaluation, if indeed MBSA itself does the evaluation. But hey - I'm
just pulling this out of the air.

Warm regards Shawn,

Pete
--
1PW @?6A62?FEH9E=6o2@=]4@> [r4o7t]

 

[Shawn Martin]

MBSA was installed on a few different 2008 servers. Some had been up and
running for a few months, others were just installed this week.

On every server, I didn't have a previous version of MBSA installed.

The network team here wanted server administrators to run MBSA on
applications to ensure things like passwords are strong. The tools runs fine
on the 2003 servers, but throws the weak password error on the 2008 boxes.

The issue is definitely odd, so I'll set up another 2008 server from scratch
and see if it still happens.

"1PW" wrote:

> Shawn Martin wrote:
> > MBSA was downloaded and installed directly from the Microsoft Download Center
> > onto each server, on separate days. The download was a direct download that
> > didn't go through a proxy server and anti-virus was disabled on the servers
> > when installing.
> >
> > Any other suggestions?
>
> Hello Shawn:
>
> Do you ever remember this MBSA 2.1 version working OK in your shop?
>
> If so, I'm wondering if a subsequent MS update has broken something?
>
> Do you regularly run MBSA on a scheduled basis, or is it run on
> special occasions?
>
> Although "FTR" suggests a linkage to password strength, I'm guessing a
> zero-length password is being mistakenly passed to MBSA for
> evaluation, if indeed MBSA itself does the evaluation. But hey - I'm
> just pulling this out of the air.
>
> Warm regards Shawn,
>
> Pete
> --
> 1PW @?6A62?FEH9E=6o2@=]4@> [r4o7t]
>

 

[Shawn Martin]

For anyone else that has this problem, it's a known issue with MBSA and
Server 2008.

**************************
I reviewed your files and have confirmed your issue to be the same as the
"known" issue. A Windows 2008 server fix will be announced when it is
released. No ETA is available.

While it is regrettable that in this instance we have been unable to provide
you with a requested solution at this time, we hope that your continued
partnership will allow us to work together through future challenges as they
may arise. As with each customer we work with, it is always our objective to
provide the very best supported software possible.

The case will be set to a decrement type of “non-decrement†and thus, will
NOT be charged against your Software Assurance agreement.

At this time, as there is no other escalation channel for this issue, I will
conclude this case today.

It was my pleasure working with you. Please let me know of any feedback
you would like to convey to us on your overall experience with Microsoft


ACTION:
=======
Customer is running MBSA.

RESULTS:
========
Customer is seeing "1721" errors on the MBSA scan results for weak passwords
when scanning on Win2008 machines.

CAUSE:
======
Design regression

RESOLUTION:
============
No workaround available at this time. Hotfix and/or SP to be released in
the future.
**************************



"Shawn Martin" wrote:

> MBSA was installed on a few different 2008 servers. Some had been up and
> running for a few months, others were just installed this week.
>
> On every server, I didn't have a previous version of MBSA installed.
>
> The network team here wanted server administrators to run MBSA on
> applications to ensure things like passwords are strong. The tools runs fine
> on the 2003 servers, but throws the weak password error on the 2008 boxes.
>
> The issue is definitely odd, so I'll set up another 2008 server from scratch
> and see if it still happens.
>
> "1PW" wrote:
>
> > Shawn Martin wrote:
> > > MBSA was downloaded and installed directly from the Microsoft Download Center
> > > onto each server, on separate days. The download was a direct download that
> > > didn't go through a proxy server and anti-virus was disabled on the servers
> > > when installing.
> > >
> > > Any other suggestions?
> >
> > Hello Shawn:
> >
> > Do you ever remember this MBSA 2.1 version working OK in your shop?
> >
> > If so, I'm wondering if a subsequent MS update has broken something?
> >
> > Do you regularly run MBSA on a scheduled basis, or is it run on
> > special occasions?
> >
> > Although "FTR" suggests a linkage to password strength, I'm guessing a
> > zero-length password is being mistakenly passed to MBSA for
> > evaluation, if indeed MBSA itself does the evaluation. But hey - I'm
> > just pulling this out of the air.
> >
> > Warm regards Shawn,
> >
> > Pete
> > --
> > 1PW @?6A62?FEH9E=6o2@=]4@> [r4o7t]
> >

 

[1PW]

Shawn Martin wrote:
> For anyone else that has this problem, it's a known issue with MBSA and
> Server 2008.
>
> **************************
> I reviewed your files and have confirmed your issue to be the same as the
> "known" issue. A Windows 2008 server fix will be announced when it is
> released. No ETA is available.
>
> While it is regrettable that in this instance we have been unable to provide
> you with a requested solution at this time, we hope that your continued
> partnership will allow us to work together through future challenges as they
> may arise. As with each customer we work with, it is always our objective to
> provide the very best supported software possible.
>
> The case will be set to a decrement type of “non-decrement†and thus, will
> NOT be charged against your Software Assurance agreement.
>
> At this time, as there is no other escalation channel for this issue, I will
> conclude this case today.
>
> It was my pleasure working with you. Please let me know of any feedback
> you would like to convey to us on your overall experience with Microsoft
>
>
> ACTION:
> =======
> Customer is running MBSA.
>
> RESULTS:
> ========
> Customer is seeing "1721" errors on the MBSA scan results for weak passwords
> when scanning on Win2008 machines.
>
> CAUSE:
> ======
> Design regression
>
> RESOLUTION:
> ============
> No workaround available at this time. Hotfix and/or SP to be released in
> the future.
> **************************
>
>
>
> "Shawn Martin" wrote:
>
>> MBSA was installed on a few different 2008 servers. Some had been up and
>> running for a few months, others were just installed this week.
>>
>> On every server, I didn't have a previous version of MBSA installed.
>>
>> The network team here wanted server administrators to run MBSA on
>> applications to ensure things like passwords are strong. The tools runs fine
>> on the 2003 servers, but throws the weak password error on the 2008 boxes.
>>
>> The issue is definitely odd, so I'll set up another 2008 server from scratch
>> and see if it still happens.
>>
>> "1PW" wrote:
>>
>>> Shawn Martin wrote:
>>>> MBSA was downloaded and installed directly from the Microsoft Download Center
>>>> onto each server, on separate days. The download was a direct download that
>>>> didn't go through a proxy server and anti-virus was disabled on the servers
>>>> when installing.
>>>>
>>>> Any other suggestions?
>>> Hello Shawn:
>>>
>>> Do you ever remember this MBSA 2.1 version working OK in your shop?
>>>
>>> If so, I'm wondering if a subsequent MS update has broken something?
>>>
>>> Do you regularly run MBSA on a scheduled basis, or is it run on
>>> special occasions?
>>>
>>> Although "FTR" suggests a linkage to password strength, I'm guessing a
>>> zero-length password is being mistakenly passed to MBSA for
>>> evaluation, if indeed MBSA itself does the evaluation. But hey - I'm
>>> just pulling this out of the air.
>>>
>>> Warm regards Shawn,
>>>
>>> Pete
>>> --
>>> 1PW @?6A62?FEH9E=6o2@=]4@> [r4o7t]
>>>

Well done Shawn.

Pete
--
1PW @?6A62?FEH9E=6o2@=]4@> [r4o7t]

 

[FromTheRafters]

Thank you for passing this information on to us.

"Shawn Martin" wrote in message
news:7F637276-4615-4F01-A61C-03DD9560F967@microsoft.com...
> For anyone else that has this problem, it's a known issue with MBSA
> and
> Server 2008.
>
> **************************
> I reviewed your files and have confirmed your issue to be the same as
> the
> "known" issue. A Windows 2008 server fix will be announced when it
> is
> released. No ETA is available.
>
> While it is regrettable that in this instance we have been unable to
> provide
> you with a requested solution at this time, we hope that your
> continued
> partnership will allow us to work together through future challenges
> as they
> may arise. As with each customer we work with, it is always our
> objective to
> provide the very best supported software possible.
>
> The case will be set to a decrement type of "non-decrement" and thus,
> will
> NOT be charged against your Software Assurance agreement.
>
> At this time, as there is no other escalation channel for this issue,
> I will
> conclude this case today.
>
> It was my pleasure working with you. Please let me know of any
> feedback
> you would like to convey to us on your overall experience with
> Microsoft
>
>
> ACTION:
> =======
> Customer is running MBSA.
>
> RESULTS:
> ========
> Customer is seeing "1721" errors on the MBSA scan results for weak
> passwords
> when scanning on Win2008 machines.
>
> CAUSE:
> ======
> Design regression
>
> RESOLUTION:
> ============
> No workaround available at this time. Hotfix and/or SP to be released
> in
> the future.
> **************************
>
>
>
> "Shawn Martin" wrote:
>
>> MBSA was installed on a few different 2008 servers. Some had been up
>> and
>> running for a few months, others were just installed this week.
>>
>> On every server, I didn't have a previous version of MBSA installed.
>>
>> The network team here wanted server administrators to run MBSA on
>> applications to ensure things like passwords are strong. The tools
>> runs fine
>> on the 2003 servers, but throws the weak password error on the 2008
>> boxes.
>>
>> The issue is definitely odd, so I'll set up another 2008 server from
>> scratch
>> and see if it still happens.
>>
>> "1PW" wrote:
>>
>> > Shawn Martin wrote:
>> > > MBSA was downloaded and installed directly from the Microsoft
>> > > Download Center
>> > > onto each server, on separate days. The download was a direct
>> > > download that
>> > > didn't go through a proxy server and anti-virus was disabled on
>> > > the servers
>> > > when installing.
>> > >
>> > > Any other suggestions?
>> >
>> > Hello Shawn:
>> >
>> > Do you ever remember this MBSA 2.1 version working OK in your shop?
>> >
>> > If so, I'm wondering if a subsequent MS update has broken
>> > something?
>> >
>> > Do you regularly run MBSA on a scheduled basis, or is it run on
>> > special occasions?
>> >
>> > Although "FTR" suggests a linkage to password strength, I'm
>> > guessing a
>> > zero-length password is being mistakenly passed to MBSA for
>> > evaluation, if indeed MBSA itself does the evaluation. But hey -
>> > I'm
>> > just pulling this out of the air.
>> >
>> > Warm regards Shawn,
>> >
>> > Pete
>> > --
>> > 1PW @?6A62?FEH9E=6o2@=]4@> [r4o7t]
>> >

 

[Anteaus]

Then tell them that "pazword" is a much stronger password than
"768262ge%$^%$^%¬&^%&^*&^*ghjGUHTFhfHTRytRFyt^%$^!$"

Why? because the latter just has to be typed-in from a post-it attached to
the monitor.

Seriously, once passwords MUST contain gibberish, and must expire
frequently, the security of the system takes a nosedive for this reason.

The fundamental shortcoming in security design is that of allowing rapidfire
attempts at logon. With a delay of even a few seconds between attempts,
bruteforce methods become impractical. To improve your security, implement a
short lockout for repeated logon failures.

"Shawn Martin" wrote:

> The network team here wanted server administrators to run MBSA on
> applications to ensure things like passwords are strong. The tools runs fine
> on the 2003 servers, but throws the weak password error on the 2008 boxes.

 

[FromTheRafters]

That is a good point, but for those without the physical access to the
computer (and the post-it note) trying to log on remotely with thousands
of guesses per second - the longer and more complex the better.

Timeouts are indeed a good measure to increase difficulty (and,
unfortunately, helpdesk calls).

"Anteaus" wrote in message
news:B29C2546-C2C8-4348-A196-EEFF7B1754A4@microsoft.com...
>
> Then tell them that "pazword" is a much stronger password than
> "768262ge%$^%$^%¬&^%&^*&^*ghjGUHTFhfHTRytRFyt^%$^!$"
>
> Why? because the latter just has to be typed-in from a post-it
> attached to
> the monitor.
>
> Seriously, once passwords MUST contain gibberish, and must expire
> frequently, the security of the system takes a nosedive for this
> reason.
>
> The fundamental shortcoming in security design is that of allowing
> rapidfire
> attempts at logon. With a delay of even a few seconds between
> attempts,
> bruteforce methods become impractical. To improve your security,
> implement a
> short lockout for repeated logon failures.
>
> "Shawn Martin" wrote:
>
>> The network team here wanted server administrators to run MBSA on
>> applications to ensure things like passwords are strong. The tools
>> runs fine
>> on the 2003 servers, but throws the weak password error on the 2008
>> boxes.
>
>

 

[Doug Neal [MSFT]]

This was actually an issue with Windows. The well-documented API calls
didn't function correctly until Service Pack 2 of Windows Vista and Windows
Server 2008. If you still have this issue after upgrading to SP2, please
let me know.

Otherwise, this is unfortunately an expected issue since Windows isn't
responding correctly to MBSA's request.

--
--

Doug Neal [MSFT]
dugn@online.microsoft.com

This posting is provided "AS IS" with no warranties, and confers no rights.

If newsgroup discussion with experts and MVPs is unable to solve a problem
to your satisfaction, feel free to contact PSS for support on the Microsoft
Baseline Security Analyzer (MBSA). Information is available at the following
link:
http://support.microsoft.com/default.aspx

This e-mail address does not receive e-mail, but is used for newsgroup
postings only.

"PA Bear [MS MVP]" wrote in message
news:ecY$GYhCKHA.4608@TK2MSFTNGP02.phx.gbl...
> [[Forwarded to MBSA- and Windows Server-specific newsgroups via
> crosspost.]]
>
> Shawn Martin wrote:
>> I keep getting Error 1721 for local accounts I have on 2008 server
>> (64-bit).
>> I'm running the MBSA under a domain account that is an administrator of
>> the
>> server.
>>
>> The local account that keeps getting flagged by MBSA has a password of
>> Wh$v9Jx^=b
>>
>> so I have no clue as to why it thinks that is a weak password. Any
>> suggestions?
>