Possible User Account Harvesting when User is Disabled or Locked
search cancel

Possible User Account Harvesting when User is Disabled or Locked

book

Article ID: 279662

calendar_today

Updated On:

Products

SITEMINDER

Issue/Introduction

In some cases, when a valid user is disabled or locked, they are redirected to 'smpwserivces.fcc' during login as part of an auto-initiated Password Recovery.  This could be undesired behavior as it could indicated to a malicious user when they are using a valid user name.

If the user fails authentication (Invalid User or Invalid Password), they are redirected back to the authentication page again.  If the user fails Authorization, they are redirected back to the authentication page again.  However, if the user is locked or disabled, regardless of whether the correct password is used, that user may be redirected to the smpwservices.fcc instead.  This behavior change in behavior can be used to confirm that a valid user is being passed.

Environment

[SITEMINDER]

Policy Server: ANY

Policy Server OS: ANY

Cause

The behavior is a result of the influence one or more default behaviors.

1) Password Services is enabled for the user directory and the Max Failed Attempts is reached, Siteminder will redirect the user to 'smpwservices' (Password Services).

2) If a valid user is locked or disabled in the user directory, Siteminder will redirect the user to 'smpwservices' (Password Services).

Resolution

Enable "DisableSpecificLoginFailMessage" on the Policy Server(s)

1) Logon to the Policy Server
2) Run the following command:

XPSConfig

3) Type "SM" then ENTER to launch the SM menu

4) Locate "DisableSpecificLoginFailMessage"

5) Enter the number that corresponds to "DisableSpecificLoginFailMessage"

=======================================

PARAMETER MENU***********************CA.SM::$DisableSpecificLoginFailMessage

   Name:               DisableSpecificLoginFailMessage [CA.SM::$DisableSpecificLoginFailMessage]
   Type:               Logical
   Scope:              Global
   Export?             yes
   Report?             yes
   Remote Access:      ReadWrite
   Description:        Does not set redirect URL on login failure
   License Type:       None
   *Default Value:     FALSE
   Current Value:      "FALSE"

-------------------------------------------------------------------
   C  - Change value
   R  - Reset to default
   Q  - Quit
-------------------------------------------------------------------
Enter Option (C, R, or Q):

=======================================

6) Type "C" then hit ENTER to change the value:

7) Type "Q" then ENTER (Quit) to exit the 'DisableSpecificLoginFailMessage' parameter

8) Type "Q" then ENTER (Quit) to exit the 'SM' menu.

9) Type "Q" then ENTER (Quit) to exit 'XPSConfig'.

10) Stop and Start the Policy Server(s)

11) This needs to be repeated on all Policy Servers.

Powered by Wolken Software