Checklist: Key control settings to harden password authentication

You may download a printer-friendly version.

Checklist: Key control settings to harden password authentication

Reduce domain password caching on desktop

By default, the last 10 logons are cached to the desktops hard drive, making it possible for users to log on even if a domain controller cannot be reached. But the danger is that an

attacker can obtain cached passwords. Set the number of cached passwords to 0 to prevent this from occurring, but realize that network or DC problems can prevent users

from logging on at all. Do not do this to laptops. When users disconnect laptops from the network, they will not be able to log on until they return -- not a good thing.

Prevent domain password caching on domain controllers

What happens if an administrator is logged on, called away from the DC and then fired? If the DC is set to lock the computer when idle or another administrator immediately disables

the account, the disgruntled former administrator will still be able to log on if he returns to the console and the password is cached. Set password caching to 0 on domain controllers

if you deem this a risk. (If fired employees are escorted out of the building, the risk here is reduced.)

Remove LAN Manager (LM) hashes from password database

NTLM and NTLMv2 can be used by most Windows computers for domain logon to Windows 2000 and Windows Server 2003. This reduces the risk that LM posed. However, a risk

exists if the password hashes required by LM are stored in the password database. An attacker who gains access to the database could easily crack the LM hash and deduce

the NTLM hash.

Move to NTLM

In Windows Server 2003 or Windows 2000, you can force the use of NTLM or NTLMv2 by all users. While legacy clients such as Windows 98 require LM, if the Active Directory client is

installed and a registry entry is made, Windows 98 clients can use NTLM or NTLMv2. In addition to being a weaker protocol, the hash required by LM is very easy for several free

and commercial password crackers to crack. Once they have cracked the LM hash, they can easily deduce the NTLM password.

Use non-default forms of syskey on sensitive computers

Syskey adds an additional layer of protection for the password database. It is used by default, but the default form of syskey stores the password required upon reboot on the

hard drive. You should change this model -- where necessary and possible -- to require either a password entry or use of a syskey disk. (The disk is created when you change the

syskey mode.) You must use caution. If an unattended server reboots and no one is there to enter the password or use the disk, the server will not book and a critical resource may be

unavailable when it is needed.

Physically protect sensitive computers

Physical protection should be required for all computers. If an attacker can gain physical control of a computer, he might boot the system to an alternative operating system and

obtain a copy of the password database. He might also establish a back door, keystroke logger (to capture passwords) or other malicious code. Servers should be in a locked data

center, room or cabinet that is accessible only to authorized personnel. Desktop machines should be protected by removing floppy drives and CD-ROM drives to prevent the alternative

OS issue. Laptops should be locked to a non-movable object when unattended.

Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure.
E-mail the editor to suggest additional checklist topics.

ABOUT THE AUTHOR:   Go back

Roberta Bragg is author of "Hardening Windows systems" and a SearchWindowsSecurity.com resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker. Click to ask Roberta a question or purchase her book here. Also, if you have specific questions or comments about any of Roberta's checklists, click to e-mail her directly. Copyright 2004

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.