locked
Tutorial: How to bypass the strong password requirements for WHS remote users. RRS feed

  • Question

  • The default password policy requires 7+3 of 4.

    To lower the password requirements for non-admin/remote users:
    Windows Home Server Console - Settings - Passwords
    Then move the slider to Medium. (for example)

    We'll assume for the purposes of the tutorial that you've already added a user named "sme" with a medium strength password, who has no remote access, via the WHS console.

    I've found 3 different ways to enable remote access for users with less than "strong" passwords. Each way has implications, which we can discuss. Since WHS is not released, none of these workarounds may work in RTM or later.




    1) Adding the "user" to the administrators and remote groups. (don't use this option for non-admin users)
    RDP to the WHS desktop and navigate:
    Start - Settings - Control Panel - Administrative Tools - Computer Management
    Local Users and Groups - Users
    Right click "sme" and select Properties
    Click on the Member Of tab and click Add then click on Advanced and then click on Find Now.
    Select Administrators and Remote Desktop Users then click on OK, twice.


    2) Adding the "user" to only the remote group and changing the Local Security Policy. (this is how I'd do it)
    RDP to the WHS desktop and navigate:
    Start - Settings - Control Panel - Administrative Tools - Computer Management
    Local Users and Groups - Users
    Right click "sme" and select Properties
    Click on the Member Of tab and click Add then click on Advanced and then click on Find Now.
    Select Remote Desktop Users then click on OK, twice.

    Return to Administrative Tools and select Local Security Policy
    Navigate to Security Settings - Local Policies - User Rights Assignment
    In the right pane, select the Properties of Allow log on through Terminal Services
    Click on Add User or Group...then click on Advanced.
    Click on Object Types and check the box for Groups.
    Select Remote Desktop Users and click OK, three times.


    3) Adding a new user without using the WHS console (not suggested because it fails to create the proper shared user folder)
    RDP to the WHS desktop and navigate:
    Start - Settings - Control Panel - Administrative Tools - Computer Management
    Local Users and Groups - Users
    Click on Action - New User
    Add a User name ("ems" for this example) and any password you want and select the appropriate options.
    Click on the Member Of tab and click Add then click on Advanced and then click on Find Now.
    Select Remote Desktop Users then click on OK, twice.

    Return to Administrative Tools and select Local Security Policy
    Navigate to Security Settings - Local Policies - User Rights Assignment
    In the right pane, select the Properties of Allow log on through Terminal Services
    Click on Add User or Group...then click on Advanced.
    Click on Object Types and check the box for Groups.
    Select Remote Desktop Users and click OK, three times.


    There you have it, 3 ways to enable remote access, without using strong passwords. There was a "claim" that somebody knows how to change the strong password requirement for "Administrator" too, but I haven't found that one yet. Wink

    Wednesday, June 20, 2007 1:02 AM

Answers

  • Again, interesting. For one, you know that I'll just post the info anyway, so being cryptic seems like a waste but it is your choice. Big Smile

    I was thinking about burning a boot cd with ntpasswd to change the password that way but I figured it would just be a temp fix. Since I don't change my Administrator passwd often, temp might be OK.

    As soon as I read LSA, I knew exactly which key it was, from previous searching. I edited mine instead of deleting because it's a multi-string key. After a reboot I was able to change the Administrator password to one without the restrictions. I have no idea what else, if anything, that affects.


    Instructions:
    START - RUN - regedit
    Navigate to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    Right click Notification Packages and select modify.
    Delete the last line "pwdfilter" and click on OK.
    Reboot

    I figured that would also remove the password requirement for all users but I was surprised that it didn't. So, you still have to make new users with weak passwords and no remote, then re-enable remote with one of, now, 4 methods. Unfortunately, if you edit the LSA key, new users don't get the PwdStrength key, that your remoet method uses, so you have to use one of my methods or create the key manually and set it to 3. Then you can use the WHS console to enable remote.

    I hope some people test my methods, I'm curious if they work with web access. After I created a test user, I used my method which enabled remote, in the WHS console, I disabled and then re-enabled remote to see if it would trigger a passwd warning and it didn't so I think my methods will work too.

    Friday, June 22, 2007 7:55 AM
  •  SME wrote:
    It was posted in the other PW thread (page 5), that we discussed this subject in, that's official enough for me.

    No, the first one wasn't a WHS team member, that was a forum moderator and that's why I waited until I heard from a WHS team member. You may want to check out comments again.

    E-mail is also superfluous, considering these are the right forums to discuss such things. That way, if MS doesn't like how we do things, they can fix the bugs or enable the features, as the case may be.

    That's why I asked for confirmation, in the other thread, before posting this one.

    Ok, that''s good enough for me to.

     

    Please note

    - This is just to inform beta testers of an easy way to enable remote access for weak password users.

    - Personally I consider this a bug, and I hope WHS team will fix this!

    - If you try to repeat this you may mess up your WHS install, risk losing data and so on.

    - Unless you implement compensating measures you will create a serious security risk, not only for yourself but also for others, especially if your machine is connected to the internet.

    - If you try to repeat this it will be completely at your own risk

    - I shall not give any assistance in impleting this solution or fixing any problems that result from (an attempt) to implement this solution. 

     

    Here is what I did:

     

    Go to WHS console, settings, choose password setting you like weak or medium

    Go ot user accounts and create new user, (no remote access)

    Get to WHS box desktop using RDP (TS session) or just hookup keyboard/mouse/monitor

    Run regedit, go to HKEY_LOCAL_MACHINE, Software, Microsoft, Windows Home Server, User Manager, Users.

    Select the user you just created, Key PwdStrength, hexadecimal value will read 1 or 2. Change this to 3

    Go to WHS console, enable remote access for the newly created user with the weak password

    Now you have a user with remote access but without admin rights, which is still reasonably secure.

     

    To give this user administrator rights and RDP access check out the thread starting post of SME above. 

    Friday, June 22, 2007 1:15 AM
    Moderator

All replies

  • SME, does any of these methods give you remote access over the internet (livenode address) or intranet (http:\\server ot https:\\server, if you left server name default)  to your WHS webpage? I think all of these methods will only give acces through remote desktop.

     

    My method is different, and it gives you access to the remote WHS webpage (and WHS console for admin user) using very weak passwords. I have to agree with you that with the WHS critereria for strong passwords you can still make fairly weak passwords, so it's questionable whether the current WHS strong pwd policy is meaningful.

     

     Since I am still reluctant to post it here I will post later this week an E-mail address in this topic where anyone interested can drop a message and I will then send the method. (I'll have to setup this E-mail addres first since I don't want to use any of my regular E-mail addresses for obvious reasons,  and I also want setup autoresponder).

     

    I have tested my methods in CTP only, since I'm still in the process of configuring / finetuning RC1 to fit my needs and moving back my data, however I am reasonably sure it will also work in RC1

    Thursday, June 21, 2007 9:28 AM
    Moderator
  •  brubber wrote:

    SME, does any of these methods give you remote access over the internet (livenode address) or intranet (http:\\server ot https:\\server, if you left server name default) to your WHS webpage? I think all of these methods will only give acces through remote desktop.

    My method is different, and it gives you access to the remote WHS webpage (and WHS console for admin user) using very weak passwords. I have to agree with you that with the WHS critereria for strong passwords you can still make fairly weak passwords, so it's questionable whether the current WHS strong pwd policy is meaningful.

    Since I am still reluctant to post it here I will post later this week an E-mail address in this topic where anyone interested can drop a message and I will then send the method. (I'll have to setup this E-mail addres first since I don't want to use any of my regular E-mail addresses for obvious reasons, and I also want setup autoresponder).

    I have tested my methods in CTP only, since I'm still in the process of configuring / finetuning RC1 to fit my needs and moving back my data, however I am reasonably sure it will also work in RC1



    TBH, I don't know, I've never signed up for livenode nor configured web access.

    I was told by one of the WHS team: "If you find workarounds that work for you, then feel free to post them and share them." So, surely, that would apply to you as well. Wink

    I'd be even more reluctant to bother with e-mail since it's OK to post the info here, according to one of the devs.

    Beta2 didn't even have the requirements... *shrug*

    Thursday, June 21, 2007 11:00 AM
  • SME, is the statement from the WHS team "official" or is it personal message? 

     

    I recall from one of your other topics that WHS team member advised against posting it overhere. However, If it's OK with WHS team / MS  I'll consider posting it here.

     

    E-mail address would ofcourse not be easy to harvest automatically, it would be temporary, contain autresponder only for request's with specific subject and drop all other mail automatically. That would take some time to setup, so posting overhere would be a lot more convenient.

     

    Would be nice if someone from WHS team / MS could confirm in this topic that it's ok to post this type of info on this board

    Thursday, June 21, 2007 11:28 AM
    Moderator
  • It was posted in the other PW thread (page 5), that we discussed this subject in, that's official enough for me.

    No, the first one wasn't a WHS team member, that was a forum moderator and that's why I waited until I heard from a WHS team member. You may want to check out comments again.

    E-mail is also superfluous, considering these are the right forums to discuss such things. That way, if MS doesn't like how we do things, they can fix the bugs or enable the features, as the case may be.

    That's why I asked for confirmation, in the other thread, before posting this one. Big Smile

    Thursday, June 21, 2007 6:27 PM
  •  SME wrote:
    It was posted in the other PW thread (page 5), that we discussed this subject in, that's official enough for me.

    No, the first one wasn't a WHS team member, that was a forum moderator and that's why I waited until I heard from a WHS team member. You may want to check out comments again.

    E-mail is also superfluous, considering these are the right forums to discuss such things. That way, if MS doesn't like how we do things, they can fix the bugs or enable the features, as the case may be.

    That's why I asked for confirmation, in the other thread, before posting this one.

    Ok, that''s good enough for me to.

     

    Please note

    - This is just to inform beta testers of an easy way to enable remote access for weak password users.

    - Personally I consider this a bug, and I hope WHS team will fix this!

    - If you try to repeat this you may mess up your WHS install, risk losing data and so on.

    - Unless you implement compensating measures you will create a serious security risk, not only for yourself but also for others, especially if your machine is connected to the internet.

    - If you try to repeat this it will be completely at your own risk

    - I shall not give any assistance in impleting this solution or fixing any problems that result from (an attempt) to implement this solution. 

     

    Here is what I did:

     

    Go to WHS console, settings, choose password setting you like weak or medium

    Go ot user accounts and create new user, (no remote access)

    Get to WHS box desktop using RDP (TS session) or just hookup keyboard/mouse/monitor

    Run regedit, go to HKEY_LOCAL_MACHINE, Software, Microsoft, Windows Home Server, User Manager, Users.

    Select the user you just created, Key PwdStrength, hexadecimal value will read 1 or 2. Change this to 3

    Go to WHS console, enable remote access for the newly created user with the weak password

    Now you have a user with remote access but without admin rights, which is still reasonably secure.

     

    To give this user administrator rights and RDP access check out the thread starting post of SME above. 

    Friday, June 22, 2007 1:15 AM
    Moderator
  • Interesting, you said you also had a way to use weaker passwords with the Administrator account?

    Friday, June 22, 2007 1:31 AM
  •  SME wrote:
    Interesting, you said you also had a way to use weaker passwords with the Administrator account?

    Yes, more the one, but that's not WHS specific, and I do not want to detail those, since they are even more risky. Since you obviously know your way around the following should help you: One way to do this is to switch SID's, however if you then want to change the password you will be forced use the "strong policy" again. The other involves editing or deleting  another specific reg key which you can find in HKEY_LOCAL_MACHINE, System, Currentcontrolset, Control, Lsa, and this will then permanently remove the policy unless you invoke it another way.

    Friday, June 22, 2007 6:43 AM
    Moderator
  • Again, interesting. For one, you know that I'll just post the info anyway, so being cryptic seems like a waste but it is your choice. Big Smile

    I was thinking about burning a boot cd with ntpasswd to change the password that way but I figured it would just be a temp fix. Since I don't change my Administrator passwd often, temp might be OK.

    As soon as I read LSA, I knew exactly which key it was, from previous searching. I edited mine instead of deleting because it's a multi-string key. After a reboot I was able to change the Administrator password to one without the restrictions. I have no idea what else, if anything, that affects.


    Instructions:
    START - RUN - regedit
    Navigate to:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
    Right click Notification Packages and select modify.
    Delete the last line "pwdfilter" and click on OK.
    Reboot

    I figured that would also remove the password requirement for all users but I was surprised that it didn't. So, you still have to make new users with weak passwords and no remote, then re-enable remote with one of, now, 4 methods. Unfortunately, if you edit the LSA key, new users don't get the PwdStrength key, that your remoet method uses, so you have to use one of my methods or create the key manually and set it to 3. Then you can use the WHS console to enable remote.

    I hope some people test my methods, I'm curious if they work with web access. After I created a test user, I used my method which enabled remote, in the WHS console, I disabled and then re-enabled remote to see if it would trigger a passwd warning and it didn't so I think my methods will work too.

    Friday, June 22, 2007 7:55 AM
  •  SME wrote:
    Again, interesting. For one, you know that I'll just post the info anyway, so being cryptic seems like a waste but it is your choice.
    You're right, I didn't think about that one, however it's fairly simple to find anyway with the directions I gave if you know how to search the web.

     SME wrote:
    I was thinking about burning a boot cd with ntpasswd to change the password that way but I figured it would just be a temp fix. Since I don't change my Administrator passwd often, temp might be OK.
    I'm not sure if that would work properly in combination with WHS.

     

     SME wrote:
    Unfortunately, if you edit the LSA key, new users don't get the PwdStrength key
    Yes, deleting pwdfilter from Notification Packages key is not the most elegant method but like I said it works. You could also go and create you own pwd rules, pdwfilter is not the default in W2K3 / SBS installs. Default is passfilt, however then again I think it's not enabled by default on install.  The most elegant thing to do would be to build custom dll yourself.

    Friday, June 22, 2007 11:31 PM
    Moderator
  • Simple enough... Wink

    Me either, but it was a thought. Wink

    The MOST elegant solution would be for MS to fix this internally. They've said that the password story is going to change, after RTM, but we have no idea when. Until then, between all of these solutions, at least we have workarounds. Big Smile

    Friday, June 22, 2007 11:52 PM