8 tips in 8 minutes: Password authentication and protection

By SearchWindowsSecurity.com 17 Jan 2005 | SearchWindowsSecurity.com

Digg This!     StumbleUpon     Del.icio.us

As part of the 25 password hardening tips in 25 minutes series, the following eight quick tips offer best practices for password authentication and protection from SearchWindowsSecurity.com experts and contributors.

TABLE OF CONTENTS: Password creation
   1. Be the Emily Post of proper passwords
   2. Do not store miscellaneous passwords on hard drives
   3. Reduce domain password caching on desktops
   4. Prevent domain caching on domain controllers
   5. Remove LAN Manager (LM) hashes from password database
   6. Move to NTLM
   7. Use non-default forms of syskey
   8. Physically protect sensitive computers

Return to 25 password hardening tips in 25 minutes.

Tip #1: Be the Emily Post of proper passwords
[ Return to 25 password hardening tips in 25 minutes ]

Examples of poor password etiquette:

Examples of good password etiquette:

- Excerpted from Roberta Bragg's Hardening user passwords

Tip #2: Do not store miscellaneous passwords on hard drives
[ Return to 25 password hardening tips in 25 minutes ]

Users with Internet-access rights will want to access personal sites and may have to register to obtain information. Local applications may also require passwords. Users may have the opportunity to store these passwords on the hard drive. This is not a good practice. These passwords may not be stored as securely as the logon password, and may be accessible to an attacker. This is especially dangerous if users forget and reuse passwords for multiple sites and applications, and/or use their Windows password. Users should not be subscribing to Web sites that are not visited for business purposes. When business applications require passwords, Instead of storing passwords on the hard drive users will have to enter them each time they want to use the application.

- Excerpted from Roberta Bragg's Hardening user passwords

Tip #3: Reduce domain password caching on desktops
[ Return to 25 password hardening tips in 25 minutes ]

By default, the last 10 logons are cached to the desktops hard drive, making it possible for users to log on even if a domain controller cannot be reached. But the danger is that an attacker can obtain cached passwords. Set the number of cached passwords to 0 to prevent this from occurring, but realize that network or DC problems can prevent users from logging on at all. Do not do this to laptops. When users disconnect laptops from the network, they will not be able to log on until they return -- not a good thing.

- Excerpted from Roberta Bragg's Key control settings to harden password authentication

Tip #4: Prevent domain caching on domain controllers
[ Return to 25 password hardening tips in 25 minutes ]

What happens if an administrator is logged on, called away from the DC and then fired? If the DC is set to lock the computer when idle or another administrator immediately disables the account, the disgruntled former administrator will still be able to log on if he returns to the console and the password is cached. Set password caching to 0 on domain controllers if you deem this a risk. (If fired employees are escorted out of the building, the risk here is reduced.)

- Excerpted from Roberta Bragg's Key control settings to harden password authentication

Tip #5: Remove LAN Manager (LM) hashes from password database
[ Return to 25 password hardening tips in 25 minutes ]

NTLM and NTLMv2 can be used by most Windows computers for domain logon to Windows 2000 and Windows Server 2003. This reduces the risk that LM posed. However, a risk exists if the password hashes required by LM are stored in the password database. An attacker who gains access to the database could easily crack the LM hash and deduce the NTLM hash.

- Excerpted from Roberta Bragg's Key control settings to harden password authentication

Tip #6: Move to NTLM
[ Return to 25 password hardening tips in 25 minutes ]

In Windows Server 2003 or Windows 2000, you can force the use of NTLM or NTLMv2 by all users. While legacy clients such as Windows 98 require LM, if the Active Directory client is installed and a registry entry is made, Windows 98 clients can use NTLM or NTLMv2. In addition to being a weaker protocol, the hash required by LM is very easy for several free and commercial password crackers to crack. Once they have cracked the LM hash, they can easily deduce the NTLM password.

- Excerpted from Roberta Bragg's Key control settings to harden password authentication

Tip #7: Use non-default forms of syskey
[ Return to 25 password hardening tips in 25 minutes ]

Syskey adds an additional layer of protection for the password database. It is used by default, but the default form of syskey stores the password required upon reboot on the hard drive. You should change this model -- where necessary and possible -- to require either a password entry or use of a syskey disk. (The disk is created when you change the syskey mode.) You must use caution. If an unattended server reboots and no one is there to enter the password or use the disk, the server will not book and a critical resource may be unavailable when it is needed.

- Excerpted from Roberta Bragg's Key control settings to harden password authentication

Tip #8: Physically protect sensitive computers
[ Return to 25 password hardening tips in 25 minutes ]

Physical protection should be required for all computers. If an attacker can gain physical control of a computer, he might boot the system to an alternative operating system and obtain a copy of the password database. He might also establish a back door, keystroke logger (to capture passwords) or other malicious code. Servers should be in a locked data center, room or cabinet that is accessible only to authorized personnel. Desktop machines should be protected by removing floppy drives and CD-ROM drives to prevent the alternative OS issue. Laptops should be locked to a non-movable object when unattended.

- Excerpted from Roberta Bragg's Key control settings to harden password authentication

Return to 25 password hardening tips in 25 minutes.

Tags: User passwords and network permissions,  Windows legacy operating systems,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT User passwords and network permissions Eight is too many characters for strong passwords Nine common password oversights to avoid Secure your Windows systems with proper password practices Managing multiple passwords in Windows Windows desktop endpoint security challenges podcast series How to strike a balance between Windows security and business needs Managing single sign-on security burdens in Windows Build secure computer password policies Remote user security checklist Reduce resistance to creating strong computer passwords Windows legacy operating systems Windows 7 launches, offers salvation from Vista Admins can wear many hats using Netcat Choosing the best way to install images Ten ways to sell security to management Improve Windows security with our top 10 tips Windows Vista management tutorial Ten ways to selling security to management Vista security option changes to named pipe access Minasi talks Vista security, Windows Server 2008 features Troubleshooting IEEE 1394 bus devices for Windows machines

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary key-value pair  (SearchEnterpriseDesktop.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary