Checklist: Key control settings to harden password authentication

In part two of her password hardening series, Roberta Bragg details configuration changes to make in Windows Server 2003, 2000 and legacy systems to harden password authentication.

Strengthening password-based authentication systems is not entirely the duty of users and policy makers. Windows configuration changes can also make it harder for an attacker to obtain authentication material, such as the account database, and harder for them to do anything with the material if they should obtain access to it. But implementing these controls is not without challenge. You should test them on non-production systems before deploying to make sure no conflicts with current applications will occur. If conflicts are present, you may want to consider a strategy to work around this problem, or replace the offending application.

You may download a printer-friendly version.

 Checklist: Key control settings to harden password authentication
Reduce domain password caching on desktop
By default, the last 10 logons are cached to the desktops hard drive, making it possible for users to log on even if a domain controller cannot be reached. But the danger is that an attacker can obtain cached passwords. Set the number of cached passwords to 0 to prevent this from occurring, but realize that network or DC problems can prevent users from logging on at all. Do not do this to laptops. When users disconnect laptops from the network, they will not be able to log on until they return -- not a good thing.
Prevent domain password caching on domain controllers
What happens if an administrator is logged on, called away from the DC and then fired? If the DC is set to lock the computer when idle or another administrator immediately disables the account, the disgruntled former administrator will still be able to log on if he returns to the console and the password is cached. Set password caching to 0 on domain controllers if you deem this a risk. (If fired employees are escorted out of the building, the risk here is reduced.)
Remove LAN Manager (LM) hashes from password database
NTLM and NTLMv2 can be used by most Windows computers for domain logon to Windows 2000 and Windows Server 2003. This reduces the risk that LM posed. However, a risk exists if the password hashes required by LM are stored in the password database. An attacker who gains access to the database could easily crack the LM hash and deduce the NTLM hash.
Move to NTLM
In Windows Server 2003 or Windows 2000, you can force the use of NTLM or NTLMv2 by all users. While legacy clients such as Windows 98 require LM, if the Active Directory client is installed and a registry entry is made, Windows 98 clients can use NTLM or NTLMv2. In addition to being a weaker protocol, the hash required by LM is very easy for several free and commercial password crackers to crack. Once they have cracked the LM hash, they can easily deduce the NTLM password.
Use non-default forms of syskey on sensitive computers
Syskey adds an additional layer of protection for the password database. It is used by default, but the default form of syskey stores the password required upon reboot on the hard drive. You should change this model -- where necessary and possible -- to require either a password entry or use of a syskey disk. (The disk is created when you change the syskey mode.) You must use caution. If an unattended server reboots and no one is there to enter the password or use the disk, the server will not book and a critical resource may be unavailable when it is needed.
Physically protect sensitive computers
Physical protection should be required for all computers. If an attacker can gain physical control of a computer, he might boot the system to an alternative operating system and obtain a copy of the password database. He might also establish a back door, keystroke logger (to capture passwords) or other malicious code. Servers should be in a locked data center, room or cabinet that is accessible only to authorized personnel. Desktop machines should be protected by removing floppy drives and CD-ROM drives to prevent the alternative OS issue. Laptops should be locked to a non-movable object when unattended.

Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure.
E-mail the editor
to suggest additional checklist topics.

Roberta Bragg is author of "Hardening Windows systems" and a resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker.

Click to ask Roberta a question or purchase her book here. Also, if you have specific questions or comments about any of Roberta's checklists, click to e-mail her directly. Copyright 2004

Dig Deeper on Enterprise desktop management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.