8 tips in 8 minutes: Password authentication and protection

As part of the 25 password hardening tips in 25 minutes series, these eight quick tips offer best practices for password authentication and protection from SearchWindowsSecurity.com experts and contributors.

As part of the 25 password hardening tips in 25 minutes series, the following eight quick tips offer best practices for password authentication and protection from SearchWindowsSecurity.com experts and contributors.


TABLE OF CONTENTS: Password creation
   1. Be the Emily Post of proper passwords
   2. Do not store miscellaneous passwords on hard drives
   3. Reduce domain password caching on desktops
   4. Prevent domain caching on domain controllers
   5. Remove LAN Manager (LM) hashes from password database
   6. Move to NTLM
   7. Use non-default forms of syskey
   8. Physically protect sensitive computers

Return to 25 password hardening tips in 25 minutes.


Tip #1: Be the Emily Post of proper passwords
[ Return to 25 password hardening tips in 25 minutes ]

Examples of poor password etiquette:

  • Putting a password on a sticky note and attaching it to the monitor or placing it under the keyboard.
  • Sharing passwords with fellow workers.
  • Giving out a password if someone calls and says they are from IT or security, or any one.
  • Examples of good password etiquette:

  • Calling security if someone attempts to gain a password or users notice anything funny about their logon.
  • Using unique passwords for each account, including personal accounts with banks and other Web sites.
  • - Excerpted from Roberta Bragg's Hardening user passwords


    Tip #2: Do not store miscellaneous passwords on hard drives
    [ Return to 25 password hardening tips in 25 minutes ]

    Users with Internet-access rights will want to access personal sites and may have to register to obtain information. Local applications may also require passwords. Users may have the opportunity to store these passwords on the hard drive. This is not a good practice. These passwords may not be stored as securely as the logon password, and may be accessible to an attacker. This is especially dangerous if users forget and reuse passwords for multiple sites and applications, and/or use their Windows password. Users should not be subscribing to Web sites that are not visited for business purposes. When business applications require passwords, Instead of storing passwords on the hard drive users will have to enter them each time they want to use the application.

    - Excerpted from Roberta Bragg's Hardening user passwords


    Tip #3: Reduce domain password caching on desktops
    [ Return to 25 password hardening tips in 25 minutes ]

    By default, the last 10 logons are cached to the desktops hard drive, making it possible for users to log on even if a domain controller cannot be reached. But the danger is that an attacker can obtain cached passwords. Set the number of cached passwords to 0 to prevent this from occurring, but realize that network or DC problems can prevent users from logging on at all. Do not do this to laptops. When users disconnect laptops from the network, they will not be able to log on until they return -- not a good thing.

    - Excerpted from Roberta Bragg's Key control settings to harden password authentication


    Tip #4: Prevent domain caching on domain controllers
    [ Return to 25 password hardening tips in 25 minutes ]

    What happens if an administrator is logged on, called away from the DC and then fired? If the DC is set to lock the computer when idle or another administrator immediately disables the account, the disgruntled former administrator will still be able to log on if he returns to the console and the password is cached. Set password caching to 0 on domain controllers if you deem this a risk. (If fired employees are escorted out of the building, the risk here is reduced.)

    - Excerpted from Roberta Bragg's Key control settings to harden password authentication


    Tip #5: Remove LAN Manager (LM) hashes from password database
    [ Return to 25 password hardening tips in 25 minutes ]

    NTLM and NTLMv2 can be used by most Windows computers for domain logon to Windows 2000 and Windows Server 2003. This reduces the risk that LM posed. However, a risk exists if the password hashes required by LM are stored in the password database. An attacker who gains access to the database could easily crack the LM hash and deduce the NTLM hash.

    - Excerpted from Roberta Bragg's Key control settings to harden password authentication


    Tip #6: Move to NTLM
    [ Return to 25 password hardening tips in 25 minutes ]

    In Windows Server 2003 or Windows 2000, you can force the use of NTLM or NTLMv2 by all users. While legacy clients such as Windows 98 require LM, if the Active Directory client is installed and a registry entry is made, Windows 98 clients can use NTLM or NTLMv2. In addition to being a weaker protocol, the hash required by LM is very easy for several free and commercial password crackers to crack. Once they have cracked the LM hash, they can easily deduce the NTLM password.

    - Excerpted from Roberta Bragg's Key control settings to harden password authentication


    Tip #7: Use non-default forms of syskey
    [ Return to 25 password hardening tips in 25 minutes ]

    Syskey adds an additional layer of protection for the password database. It is used by default, but the default form of syskey stores the password required upon reboot on the hard drive. You should change this model -- where necessary and possible -- to require either a password entry or use of a syskey disk. (The disk is created when you change the syskey mode.) You must use caution. If an unattended server reboots and no one is there to enter the password or use the disk, the server will not book and a critical resource may be unavailable when it is needed.

    - Excerpted from Roberta Bragg's Key control settings to harden password authentication


    Tip #8: Physically protect sensitive computers
    [ Return to 25 password hardening tips in 25 minutes ]

    Physical protection should be required for all computers. If an attacker can gain physical control of a computer, he might boot the system to an alternative operating system and obtain a copy of the password database. He might also establish a back door, keystroke logger (to capture passwords) or other malicious code. Servers should be in a locked data center, room or cabinet that is accessible only to authorized personnel. Desktop machines should be protected by removing floppy drives and CD-ROM drives to prevent the alternative OS issue. Laptops should be locked to a non-movable object when unattended.

    - Excerpted from Roberta Bragg's Key control settings to harden password authentication


    Return to 25 password hardening tips in 25 minutes.


    This Content Component encountered an error

    Pro+

    Features

    Enjoy the benefits of Pro+ membership, learn more and join.

    0 comments

    Oldest 

    Forgot Password?

    No problem! Submit your e-mail address below. We'll send you an email containing your password.

    Your password has been sent to:

    -ADS BY GOOGLE

    SearchVirtualDesktop

    SearchWindowsServer

    SearchExchange

    Close