So often information security controls are overused and instead reducing one exposure, creates the new one. One of such examples is account lock down policy on a NT Domain. While such policies has been introduced to mitigate brut-force attacks to domain accounts, sometimes network and security administrators instead of locking to a period of time, choose to lock until administrator explicitly unlock an account. This setting could be used for dangerous Denial-Of-Service (DoS) attack to the Domain authentication system. When a malicious person will perform authentication attempt for all domain accounts with bogus password multiple times. More dangerously, when logging and auditing policy are not adequate. Such DoS attack could run un-detected.
The following lockNT script illustrates such case. It will lock all but Administrator domain accounts by applying a bogus password multiple times. The script should be run from a domain member Win NT/Pro workstation to work correctly. If auditing is enabled on the domain controller, the NetBIOS name of the attack workstation will be visible.
I wrote these tools with honest intentions - to audit my own network, and to demonstrate risk of some "security" recommendations. Please do not abuse this software.
This script but not accomplishing files is a free software, you can do with it whatever you want.
The following additional files have been used:
Updated: 20030203