You may download a printer-friendly version.
|Checklist: Key control settings to harden password authentication|
|Reduce domain password caching on desktop|
|By default, the last 10 logons are cached to the desktops hard drive, making it possible for users to log on even if a domain controller cannot be reached. But the danger is that an attacker can obtain cached passwords. Set the number of cached passwords to 0 to prevent this from occurring, but realize that network or DC problems can prevent users from logging on at all. Do not do this to laptops. When users disconnect laptops from the network, they will not be able to log on until they return -- not a good thing.|
|Prevent domain password caching on domain controllers|
|What happens if an administrator is logged on, called away from the DC and then fired? If the DC is set to lock the computer when idle or another administrator immediately disables the account, the disgruntled former administrator will still be able to log on if he returns to the console and the password is cached. Set password caching to 0 on domain controllers if you deem this a risk. (If fired employees are escorted out of the building, the risk here is reduced.)|
|Remove LAN Manager (LM) hashes from password database|
|NTLM and NTLMv2 can be used by most Windows computers for domain logon to Windows 2000 and Windows Server 2003. This reduces the risk that LM posed. However, a risk exists if the password hashes required by LM are stored in the password database. An attacker who gains access to the database could easily crack the LM hash and deduce the NTLM hash.|
|Move to NTLM|
|In Windows Server 2003 or Windows 2000, you can force the use of NTLM or NTLMv2 by all users. While legacy clients such as Windows 98 require LM, if the Active Directory client is installed and a registry entry is made, Windows 98 clients can use NTLM or NTLMv2. In addition to being a weaker protocol, the hash required by LM is very easy for several free and commercial password crackers to crack. Once they have cracked the LM hash, they can easily deduce the NTLM password.|
|Use non-default forms of syskey on sensitive computers|
|Syskey adds an additional layer of protection for the password database. It is used by default, but the default form of syskey stores the password required upon reboot on the hard drive. You should change this model -- where necessary and possible -- to require either a password entry or use of a syskey disk. (The disk is created when you change the syskey mode.) You must use caution. If an unattended server reboots and no one is there to enter the password or use the disk, the server will not book and a critical resource may be unavailable when it is needed.|
|Physically protect sensitive computers|
|Physical protection should be required for all computers. If an attacker can gain physical control of a computer, he might boot the system to an alternative operating system and obtain a copy of the password database. He might also establish a back door, keystroke logger (to capture passwords) or other malicious code. Servers should be in a locked data center, room or cabinet that is accessible only to authorized personnel. Desktop machines should be protected by removing floppy drives and CD-ROM drives to prevent the alternative OS issue. Laptops should be locked to a non-movable object when unattended.|
Windows Security Checklists offer you step-by-step advice for planning,
setting up and hardening your Windows security infrastructure.
E-mail the editor to suggest additional checklist topics.
|ABOUT THE AUTHOR: Go back|
|Roberta Bragg is author of "Hardening Windows systems" and a SearchWindowsSecurity.com resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker.|
This was first published in August 2004