Re: Error 1721, weak password
![PA Bear [MS MVP]'s profile photo](http://lh3.googleusercontent.com/a-/ALV-UjXsf05hH-R8XChS3fXPPzfoO8FYYxAKhT86KfPnIELr3QJ9tQ=s40-c)
PA Bear [MS MVP]
Shawn Martin wrote:
> I keep getting Error 1721 for local accounts I have on 2008 server
> (64-bit).
> I'm running the MBSA under a domain account that is an administrator of
> the
> server.
>
> The local account that keeps getting flagged by MBSA has a password of
> Wh$v9Jx^=b
>
> so I have no clue as to why it thinks that is a weak password. Any
> suggestions?
Andrew Morton
Too short?
Andrew
Shawn Martin
The policy is set for an 8 character minimum.
@nomail.afraid.org FromTheRafters
http://www.microsoft.com/protect/yourself/password/checker.mspx
"Shawn Martin" <Shawn...@discussions.microsoft.com> wrote in message
news:32E850DF-F6A2-4A9C...@microsoft.com...
Shawn Martin
strong. What I'm trying to diagnose, is why MBSA is giving the error, and how
I can correct it?
@nomail.afraid.org FromTheRafters
appears. It is still too short.
Maybe a simple change like adding an additional number or special
character will suffice?
"Shawn Martin" <Shawn...@discussions.microsoft.com> wrote in message
news:1A4DD217-6FB6-4622...@microsoft.com...
Shawn Martin
Changed the password to: Wh$v9Jx^=b1? and MBSA is still reporting Error 1721,
Weak Password for that account.
@nomail.afraid.org FromTheRafters
"Shawn Martin" <Shawn...@discussions.microsoft.com> wrote in message
news:541627D3-B37E-4298...@microsoft.com...
Shawn Martin
1PW
> Happening on multiple servers.
If MBSA, and/or its dependencies, had been loaded into all local
servers from the same local and corrupted source, that could be the
answer.
Warm regards and good luck,
Pete
--
1PW @?6A62?FEH9:DE=6o2@=]4@> [r4o7t]
Shawn Martin
onto each server, on separate days. The download was a direct download that
didn't go through a proxy server and anti-virus was disabled on the servers
when installing.
Any other suggestions?
@nomail.afraid.org FromTheRafters
> MBSA was downloaded and installed directly from the Microsoft Download
> Center
> onto each server, on separate days. The download was a direct download
> that
> didn't go through a proxy server and anti-virus was disabled on the
> servers
> when installing.
>
> Any other suggestions?
Sorry, fresh out.
There may be some additional clues here, but I can't say for sure.
1PW
> MBSA was downloaded and installed directly from the Microsoft Download Center
> onto each server, on separate days. The download was a direct download that
> didn't go through a proxy server and anti-virus was disabled on the servers
> when installing.
>
> Any other suggestions?
Hello Shawn:
Do you ever remember this MBSA 2.1 version working OK in your shop?
If so, I'm wondering if a subsequent MS update has broken something?
Do you regularly run MBSA on a scheduled basis, or is it run on
special occasions?
Although "FTR" suggests a linkage to password strength, I'm guessing a
zero-length password is being mistakenly passed to MBSA for
evaluation, if indeed MBSA itself does the evaluation. But hey - I'm
just pulling this out of the air.
Warm regards Shawn,
Shawn Martin
MBSA was installed on a few different 2008 servers. Some had been up and
running for a few months, others were just installed this week.
On every server, I didn't have a previous version of MBSA installed.
The network team here wanted server administrators to run MBSA on
applications to ensure things like passwords are strong. The tools runs fine
on the 2003 servers, but throws the weak password error on the 2008 boxes.
The issue is definitely odd, so I'll set up another 2008 server from scratch
and see if it still happens.
Shawn Martin
Server 2008.
**************************
I reviewed your files and have confirmed your issue to be the same as the
"known" issue. A Windows 2008 server fix will be announced when it is
released. No ETA is available.
While it is regrettable that in this instance we have been unable to provide
you with a requested solution at this time, we hope that your continued
partnership will allow us to work together through future challenges as they
may arise. As with each customer we work with, it is always our objective to
provide the very best supported software possible.
The case will be set to a decrement type of “non-decrement” and thus, will
NOT be charged against your Software Assurance agreement.
At this time, as there is no other escalation channel for this issue, I will
conclude this case today.
It was my pleasure working with you. Please let me know of any feedback
you would like to convey to us on your overall experience with Microsoft
ACTION:
=======
Customer is running MBSA.
RESULTS:
========
Customer is seeing "1721" errors on the MBSA scan results for weak passwords
when scanning on Win2008 machines.
CAUSE:
======
Design regression
RESOLUTION:
============
No workaround available at this time. Hotfix and/or SP to be released in
the future.
**************************
1PW
Well done Shawn.
@nomail.afraid.org FromTheRafters
"Shawn Martin" <Shawn...@discussions.microsoft.com> wrote in message
news:7F637276-4615-4F01...@microsoft.com...
Anteaus
Then tell them that "pazword" is a much stronger password than
"768262ge%$^%$^%¬&^%&^*&^*ghjGUHTFhfHTRytRFyt^%$^!$"
Why? because the latter just has to be typed-in from a post-it attached to
the monitor.
Seriously, once passwords MUST contain gibberish, and must expire
frequently, the security of the system takes a nosedive for this reason.
The fundamental shortcoming in security design is that of allowing rapidfire
attempts at logon. With a delay of even a few seconds between attempts,
bruteforce methods become impractical. To improve your security, implement a
short lockout for repeated logon failures.
@nomail.afraid.org FromTheRafters
That is a good point, but for those without the physical access to the
computer (and the post-it note) trying to log on remotely with thousands
of guesses per second - the longer and more complex the better.
Timeouts are indeed a good measure to increase difficulty (and,
unfortunately, helpdesk calls).
"Anteaus" <Ant...@discussions.microsoft.com> wrote in message
news:B29C2546-C2C8-4348...@microsoft.com...
Doug Neal [MSFT]
didn't function correctly until Service Pack 2 of Windows Vista and Windows
Server 2008. If you still have this issue after upgrading to SP2, please
let me know.
Otherwise, this is unfortunately an expected issue since Windows isn't
responding correctly to MBSA's request.
--
--
Doug Neal [MSFT]
du...@online.microsoft.com
This posting is provided "AS IS" with no warranties, and confers no rights.
If newsgroup discussion with experts and MVPs is unable to solve a problem
to your satisfaction, feel free to contact PSS for support on the Microsoft
Baseline Security Analyzer (MBSA). Information is available at the following
link:
http://support.microsoft.com/default.aspx
This e-mail address does not receive e-mail, but is used for newsgroup
postings only.
"PA Bear [MS MVP]" <PABe...@gmail.com> wrote in message
news:ecY$GYhCKH...@TK2MSFTNGP02.phx.gbl...
Shawn Martin
The issue is still occurring after applying SP2 for Server 2008.
Joe
same error.
How shall i resolve this?
1PW
> I have a Windows 2008 Server x64 running Service Pack 2 and i am facing the
> same error.
> How shall i resolve this?
>
>
> "Shawn Martin" wrote:
>
>> The issue is still occurring after applying SP2 for Server 2008.
>>
>> "Doug Neal [MSFT]" wrote:
>>
>>> This was actually an issue with Windows. The well-documented API calls
>>> didn't function correctly until Service Pack 2 of Windows Vista and Windows
>>> Server 2008. If you still have this issue after upgrading to SP2, please
>>> let me know.
>>>
>>> Otherwise, this is unfortunately an expected issue since Windows isn't
>>> responding correctly to MBSA's request.
>>>
>>> --
>>> --
>>>
>>> Doug Neal [MSFT]
>>> du...@online.microsoft.com
Hello Joe:
I suggest you contact Doug Neal with your trouble.
--
1PW
Peter Foldes
--
Peter
Please Reply to Newsgroup for the benefit of others
Requests for assistance by email can not and will not be acknowledged.
"Joe" <J...@discussions.microsoft.com> wrote in message
news:AA493448-6895-4A13...@microsoft.com...