Security Basics mailing list archives
RE: Where are Local Passwords stored on Win2K
From: "dave kleiman" <dave () netmedic net>
Date: Tue, 21 Oct 2003 02:12:38 -0400
Steven, Nobody can tell you what could or could not be obtained if your web server was compromised without a lot more information. But you could decrease the likelihood of someone cracking the password file by. 1. Making sure that they and the DC are not storing the LM hash of the password: MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash\bar=4,0 For 2000 machine\system\currentcontrolset\control\lsa\nolmhash=4,1 For XP and 2003 Sorry none for NT :( After you make this change and reboot the system, You must re-apply all the passwords, until you do the LM hash still exists. 2. Force the "uncrackable" characters in all non-standard users passwords. (Admin, Backup Operators, etc..) See http://www.securityfocus.com/archive/88/312263 for details. 3. Set your authentication level up to: machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,5 Forcing the systems to only use NTLMv2 and refusing all others. 4. Enable forced logoff, protection mode, restrict anonymous and remove cached logon. MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForc edLogOff=4,1 MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1 MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,2 machine\software\microsoft\windows nt\currentversion\winlogon\cachedlogonscount=1,0 5. Restrict Null Session Access over named pipes: MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters\NullSessio nPipes=7,"" MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters\NullSessio nShares=7,"" Unless there are some you need?? 6. Force SMB signing: MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecu ritySignature=4,1 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSec uritySignature=4,1 MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\Enabl eSecuritySignature=4,1 MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\Requi reSecuritySignature=4,0 You mat want to read a little on this if you have pre 2000 systems. 7. Enable Idle force logoff and protection mode MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1 MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForc edLogOff=4,1 machine\system\currentcontrolset\services\lanmanserver\parameters\autodiscon nect=4,15 MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\Enabl ePlainTextPassword=4,0 7. Require secure channel integrity checking: MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChan nel=4,1 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChan nel=4,1 MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrS eal=4,1 Or if you feel like it Force Kerberos authentication. Hope this helps, _____________________ Dave Kleiman secure () netmedic net www.SecurityBreachResponse.com "High achievement always takes place in the framework of high expectation." Jack Kinder -----Original Message----- From: Wilcox, Stephen [mailto:StephenWilcox () universalcomputersys com] Sent: Monday, October 20, 2003 16:40 To: security-basics () securityfocus com Subject: Where are Local Passwords stored on Win2K Hello, I'm looking for some information. Walking through security = compromises within our network. Let me explain, I have two web server = in a cluster on the DMZ. they talk to a SQL cluster on the internal = network. These two SQL server are not a member of the AD. =20 My boss want to know the good, bad, and ugly for making them members of = the AD. If someone compromised a WEB server, would they be able to find the = local cached passwords that are stored on the box and decrypt them? = Then login to the web server with the AD account, and use a tool like = LDP to gather AD DC information, and all pc's and usernames. Where would I locate the cached stored password to see if the risk is = too great to allow. I know PWDUMP3 will get the SAM but I'm looking for the location of the = stored cached password. I also know if the local admin password is compromised then a key logger = can be installed to gather the information anyway, but need the other = information for my report. --------------------------------------------------------------------------- FREE Whitepaper: Better Management for Network Security Looking for a better way to manage your IP security? Learn how Solsoft can help you: - Ensure robust IP security through policy-based management - Make firewall, VPN, and NAT rules interoperable across heterogeneous networks - Quickly respond to network events from a central console Download our FREE whitepaper at: http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015 ----------------------------------------------------------------------------
Current thread:
- Where are Local Passwords stored on Win2K Wilcox, Stephen (Oct 20)
- RE: Where are Local Passwords stored on Win2K dave kleiman (Oct 21)
- <Possible follow-ups>
- RE: Where are Local Passwords stored on Win2K Meidinger Chris (Oct 23)
- RE: Where are Local Passwords stored on Win2K Wilcox, Stephen (Oct 23)