It is currently Wed Aug 21, 2019 7:23 pm

All times are UTC - 7 hours [ DST ]

Recent News:



Post new topic Reply to topic  [ 8 posts ] 
Author Message
PostPosted: Fri Jan 12, 2018 4:26 pm 
Offline
1.5TB storage
1.5TB storage

Joined: Sun Mar 31, 2013 6:26 pm
Posts: 83
Location: Helsingborg, Sweden.
Thanks: 0
Thanked: 3 times in 3 posts
I KNOW i did this before. Why i know this? Well, i still have the shortcut for remote desktop that logs in with a number sequence for password, and my local username.

But i cant for the life of me figure out how i did it.
And yes, i know it is generally frown on.
Lets just put it like this. The X310 with WHS is only accessible from the local LAN. If anyone can access that, then i have other issues, then the possibility of someone exploiting a weak admin password on my WHS, or any of my local PC's. I'm using physical security rather then password protection, and i'm fine with the security risk.
And, yes, just for the sake of argument, i am using my personal account, and not the "administrator" account, which is left with a strong password.

Anyone know a way to get around the complexity rule?


Top
 Profile  
Thanks  

Attention Guest: Remove this ad by Registering with the MediaSmartServer.net Forums. It's Free!
PostPosted: Fri Jan 12, 2018 10:27 pm 
Offline
Max Contributor
Max Contributor
User avatar

Joined: Sat Apr 12, 2008 12:49 pm
Posts: 2215
Location: Casper Wyoming
Thanks: 76
Thanked: 249 times in 246 posts
Seemed to me there was a place in the connector settings where you can set weak/strong/very strong for user accounts.
I think I set mine to just Strong, mine is not setup outside the network as well so don't worry about it.

Good Luck and enjoy

_________________
[X510 CPU/RAM/All 2 TB Red's] [X510 CPU/Sync'ed Backup/All 2 TB Hitachi's]
[X510 /2 in box]
[X710 LIAN LI DIY W2012E] Stablebit Drivepool [EX-503 LIAN LI 5-bay USB3 External]
:twisted: Fear the Cloud :twisted:


Top
 Profile  
Thanks  
PostPosted: Sat Jan 13, 2018 12:28 pm 
Offline
Max Contributor
Max Contributor

Joined: Tue Jan 05, 2010 9:29 am
Posts: 1293
Thanks: 5
Thanked: 163 times in 161 posts
In the connector software when you add a user.
There is a field to allow remote access. with a strong password

_________________
EX-490
WHS v1
VGA/PS2 Keyboard/PS2 Mouse/Serial debug board
Q9450s CPU
Stock Ram
ESATA Sansdigital Towerraid TR5M-B
Popcorn C-200
Popcorn A-200
Dune HD Connect
Rasberry PI OSMC(KODI)
ReadyNAS RN316
Amazon FireStick
Amazon ECHO
AnyDvD
MyMovies


Top
 Profile  
Thanks  
PostPosted: Sat Jan 13, 2018 12:46 pm 
Offline
1.5TB storage
1.5TB storage

Joined: Sun Mar 31, 2013 6:26 pm
Posts: 83
Location: Helsingborg, Sweden.
Thanks: 0
Thanked: 3 times in 3 posts
Gardian wrote:
Seemed to me there was a place in the connector settings where you can set weak/strong/very strong for user accounts.
I think I set mine to just Strong, mine is not setup outside the network as well so don't worry about it.
You can drop that one all the way to weak, and it doesn't affect the admin accounts one bit. And, it seems you have to be admin to have the remote desktop rights. Just adding the remote desktop group to a regular user doesn't do it.

Ruben Rocha wrote:
In the connector software when you add a user.
There is a field to allow remote access. with a strong password
Not entirely certain what you are talking about here. You have password policy in settings, which is weak, normal, or strong, and strong has the complexity rule, none of the others have this. This setting apparently only affects the regular users, and not users belonging to the admin group.
To make things even worse, "remote access" in the connector, refers to the ability to register your WHS with any of 3 now defunct services to have your WHS accessible from anywhere in the world, by logging in to a web-page. It does not enable Remote Desktop for a user. Even if this had been the case, this feature to requires a strong password, meaning, with the complexity rule.

Quote:
Password complexity is how many character categories a password uses. For Windows Home Server, a complex password must contain at least three of the following four character categories:

Uppercase letters
Lowercase letters
Numbers
Symbols (such as !, @, #, etc.)

A strong password is complex and is at least seven characters long.


Top
 Profile  
Thanks  
PostPosted: Sat Jan 13, 2018 1:22 pm 
Offline
Max Contributor
Max Contributor

Joined: Tue Jan 05, 2010 9:29 am
Posts: 1293
Thanks: 5
Thanked: 163 times in 161 posts
Okay I think I found what you are looking for.
RDP to the server.
Start>Control panel>Administrative tools>Local Security Settings>Password Policy

I have never altered them myself.
Most of what you are talking about is there.

In my ex490 they are disabled.

_________________
EX-490
WHS v1
VGA/PS2 Keyboard/PS2 Mouse/Serial debug board
Q9450s CPU
Stock Ram
ESATA Sansdigital Towerraid TR5M-B
Popcorn C-200
Popcorn A-200
Dune HD Connect
Rasberry PI OSMC(KODI)
ReadyNAS RN316
Amazon FireStick
Amazon ECHO
AnyDvD
MyMovies


Top
 Profile  
Thanks  
PostPosted: Sat Jan 13, 2018 8:07 pm 
Offline
1.5TB storage
1.5TB storage

Joined: Sun Mar 31, 2013 6:26 pm
Posts: 83
Location: Helsingborg, Sweden.
Thanks: 0
Thanked: 3 times in 3 posts
That is the one you change trough the console settings. It lets you set users to 2 levels of password strength that doesn't require the complexity rule to be followed, and one that does. But it still doesn't let you get that darn admin account through the door without one. Thank you SO much for trying.


Top
 Profile  
Thanks  
PostPosted: Fri May 17, 2019 5:49 pm 
Offline
Newbie
Newbie

Joined: Fri May 25, 2018 1:04 pm
Posts: 2
Thanks: 0
Thanked: 0 time in 0 post
TL&DR; workaround at the end

So I've been setting up HP DataVault x310 for my own use (maybe it should be called x3112, as I've dropped WD Purple 12 TB in it). It will work as a big store for content from another, linux-based NAS (I don't trust filesystems and hardware that I wanted to set up two distinct storage solutions, as different from one another as one could get.). Also it will serve usual duty of client backups of various PCs that I have. (Hmm, I hope that I have no more than 10...)

I wanted to integrate it seamlessly with the rest of my network - setting the same user accounts and passwords I have on other machines.

Bad luck has it, "Administrator" is among those accounts, with not very complex password (at least not up to the standard of Windows Home Server).

I thought that this would be a piece of cake, as I'm no stranger to lowering password length/complexity settings on various Windows Server OS'es, but it turned out to be tough nut to crack...

As everyone and her dog knows by now, group policy settings has these not set. Still the requirement is there. I think it is somehow user-bound, as password complexity on accounts created with Windows Home Server Console is there depending on the position of the slider in Settings -> Passwords.

My google-fu didn't lead me to answers how to set complexity on per-user basis - the articles that I found dealt with domain controller only - but one of them offered a workaround in comments - offline password editor!

Folk, from whose that brilliant idea originated, used live Linux ISO with chntpw that I remember back from early 2000s. As I didn't wanted burning another CD or figuring out how to put it on USB stick (floppy image would be the most preferred way (compiling chntpw and then fighting with mounting ntfs partition, in part due to the fact that my PXE-netbootin' Ubuntu 16 takes some time to load and my other netbooting Linux is old Geexbox without any compiler), but the best one overall will be to do it from Windows.

I've found a bit dated port of chntpw for Windows, here:
https://web.archive.org/web/20100107052 ... /ntpwedit/

As I don't have console cable in my DataVault x310 (I do have a console cable with VGA that came with Acer Easystor h340 (with serious issues, for sad story of broken h340, see this link: https://forum.home-server-blog.de/viewt ... 98#p172698 ), but didn't wanted to open that thing and fiddle with installing it there. Therefore I've moved the HDD to some Vista laptop inside caddy that plugs instead of optical drive like this one: https://www.amazon.com/Protronix-Optica ... B004XIU4T2 (random offering, not the actual one I've bought). Yes, my system drive is some small, old 2,5 laptop HDD, sourced probably from trash by the seller I bought it from.

Using ntpwedit gave no issues, everything went well, though after testing, that my newly set, certainly non-compliant with complexity rules, admin password is working, I've came to the conclusion, that I'm not done yet and I need another account with the password against complexity rules. This time I didn't wanted to do everything all over again, so I decided to do it on DataVault x310.

While I was fighting with DataVault x310 software restoration about a year ago (turned out to be issue in naming directory with recovery data, my old Total Commander ISO-handling packer plugin used ISO9660 name "RECOVERY" which looked valid enough to me, instead of proper "RECOVERY IMAGE" - but I came to this conclusion after several hours of desperate fighting), I've prepared PXE-netbooting restoration image (HP utility pushes that to the server as a first part of the restoration), which is in fact Windows PE equipped with some WHS-specific daemon which does the restoration over the network. My image spawned additional cmd.exe, and also had vnc server installed and executed by default (I didn't have console cable back then but still I wanted to see what happens on the screen). Therefore I've unplugged system drive, waited for PXE windows PE image to start loading, reconnected the system drive and then used ntpwdedit on that WinPE. Went fine this time as well.

So basically WHS console thinks all my passwords are complex, while in fact they're not.

I've tried logging in locally and via RDP and both ways are working just fine.

TL&DR; Use offline password editor like chntpw (linux) or ntpwedit (Windows).


Top
 Profile  
Thanks  
PostPosted: Thu May 23, 2019 10:33 am 
Offline
Newbie
Newbie

Joined: Fri May 25, 2018 1:04 pm
Posts: 2
Thanks: 0
Thanked: 0 time in 0 post
I've managed to get rid of that reqiuirement, however only now I've got an opportunity to test whether my solution works or not.

  1. Open regedit.
  2. Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa key.
  3. Delete pwdfilter entry from "Notification Packages" REG_MULTI_SZ (but only that - better leave other entries intact) - by double clicking this value, deleting the row cotaining pwdfilter & clicking OK.
  4. Reboot the server for changes to take effect.

It seems to have been invented and documented a long ago (see https://social.microsoft.com/Forums/en- ... hssoftware ), back in the days of WHS RC1, but I've been unable to find that particular topic, before I found the solution.


Top
 Profile  
Thanks  
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 8 posts ] 

All times are UTC - 7 hours [ DST ]


Who is online

Users browsing this forum: No registered users and 7 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
cron
Powered by phpBB® Forum Software © phpBB Group