Security Basics mailing list archives
RE: ADS Password Storage Protection
From: eric.baechle () dhs gov
Date: 17 Jul 2006 05:49:15 -0000
Rolando, The first couple of Mr. Grimes' suggestions are spot-on, but password cracking is often not the problem. To understand the threat-vectors for your ADS passwords you have to understand how they're stored and shared, which I believe was your original question. In Active Directory the passwords are actually stored encrypted in active directory files. As mentioned by Mr. Grimes, this is the NTDS.DIT file on your Windows ADS Domain Controllers. The passwords are hashed (a one-way mathematical encryption-style function) using a combination of the username and password for the user. Again as Mr. Grimes pointed out, by default Windows stores these using a now-outdated storage format called Lan Mananger. My methodology differs a bit from Mr. Grimes here. In my opinion, the quickest increase to your security is two-fold: 1) Force the use of NTLMv2 (New Technology Lan Manager version 2) as Mr. Grimes suggested. 2) Force complexity requirements of 8 characters with at least 1 number, one capital letter, and one special character (You will only give users heartburn by making it more than 8 characters and not effectively increase your security). Once you do this, reset everyone's password so they must change it at their next login (otherwise the LM hash stays). You don't really need to worry about cracking of passwords, you just want to make them hard to guess. In order to crack a password, an attacker needs to export your passwords from NTDS.DIT. Access to do this requires administrator-level authority on your Windows domain controllers. If your attacker has admin rights on your domain controllers you're already compromised. Second, when a system authenticates it does not send the user's name and password over the wire. It computes the hash and then sends the hash over the wire. The server then compares the hash sent from the client to the one stored in ADS. If it matches the system _assumes_ the correct username and password was entered at the client. SMB (windows authentication) clients that inject hash credentials already exist in the wild. If someone has your password hashes, they don't need to crack a thing (Google for "pass the hash"). Some additional suggestions on securing your password databases: 1) Turn security logging on! Monitor mass authentication failures! 2) Set the lockout threashold to something higher than 3, like 25... A human typically remembers 8 things at one time, and will get frustrated and contact a helpdesk between 8 and 15 tries. If a lockout ever occurs from 25 attempts, you KNOW an automated brute-force is attacking your system and not just some poor guy that can't remember which of the 4 or 5 passwords he knows is for that system. 3) Obtain an intrusion detection system and monitor access to NTDS.DIT! If you need to, run a password dump against your system to obtain a definition for the attack (but be sure to delete the hash files that result when you're done). 4) Force your passwords to change often (90 days?) in case you miss someone exfiltrating your password database or someone uses the same password that they do for their web accounts. I welcome a discussion on this topic. I think that authentication security is one of the most misunderstood topics in computer security today. Sincerely, Eric Baechle, CISSP/ISSEP, etc... Senior INFOSEC/OPSEC Engineer Department of Homeland Security --------------------------------------------------------------------------- This list is sponsored by: SensePost Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at: http://www.sensepost.com/training.html ---------------------------------------------------------------------------
Current thread:
- RE: ADS Password Storage Protection, (continued)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 19)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 24)
- RE: ADS Password Storage Protection Pranav Lal (Jul 24)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 24)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 17)
- RE: ADS Password Storage Protection Baechle, Eric (Jul 17)
- Re: ADS Password Storage Protection Gregory Rubin (Jul 18)
- RE: ADS Password Storage Protection-$100 reward to crack my password hashes Roger A. Grimes (Jul 18)
- RE: ADS Password Storage Protection-$100 reward to crack my password hashes Donald N Kenepp (Jul 19)
- RE: ADS Password Storage Protection-4 Books for 4 Characters dave kleiman (Jul 19)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 19)