Security Basics mailing list archives
RE: ADS Password Storage Protection
From: "Roger A. Grimes" <roger () banneretcs com>
Date: Fri, 28 Jul 2006 12:11:40 -0400
Should be set at domain-level for Active Directory accounts and in Local Computer Policy for local accounts. -----Original Message----- From: rolando_ruiz () jetaviation com [mailto:rolando_ruiz () jetaviation com] Sent: Thursday, July 27, 2006 12:16 PM To: Roger A. Grimes; security-basics () securityfocus com Subject: RE: ADS Password Storage Protection One question I have regarding the steps below; should these setting be applied on the client, domain controller, or both? If applied on DC, how does it know that the user login in is who it says it is if not by password? Does it store it elsewhere or just differently? -----Original Message----- From: Roger A. Grimes [mailto:roger () banneretcs com] Sent: Friday, July 14, 2006 1:37 PM To: Ruiz, Rolando; security-basics () securityfocus com Subject: ADS Password Storage Protection Passwords are stored in local SAM or Active Directory database (NTDS.DIT file). To prevent Windows password hacking, follow these steps: 1. Disable the storage of the Lan Manager password hashes (can be done by a regedit or group policy) 2. Use long passwords. Forget complexity, go long. To make them uncrackable, go 15 characters or more. Most users should be 12+ characters, but admin accts, 15 characters+. 3. Disable booting on anything besides the primary boot partition and password-protect the boot up order. 4. Disable LM and NTLMv1 authentication (regedit or GPO). Doing #1 and #2 will give you significant protection. After that social engineering attacks and keylogging trojans are your biggest fears. But you'll be 99% more protected than you were before. If you're running nix boxes, convert your password hashes to bcrypt-type, otherwise follow the same rules, #1-#3. Roger ***************************************************************** *Roger A. Grimes, InfoWorld, Security Columnist *CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada... *email: roger_grimes () infoworld com or roger () banneretcs com *Author of Professional Windows Desktop and Server Hardening (Wrox) *http://www.amazon.com/gp/product/0764599909 ***************************************************************** -----Original Message----- From: rolando_ruiz () jetaviation com [mailto:rolando_ruiz () jetaviation com] Sent: Friday, July 14, 2006 9:47 AM To: security-basics () securityfocus com Subject: ADS Password Storage Protection I'm looking for best practice ways of protecting access to password storage in Active Directory. I have some immediate questions: Where exactly are passwords kept? Are these passwords kept in plain text? How can I protect these passwords from being hacked? (Encryption, restrictions, etc...) Thank you in advanced ________________________________ Jet Aviation Holdings, Inc. Rolando Ruiz ------------------------------------------------------------------------ --- This list is sponsored by: SensePost Hacking, like any art, will take years of dedicated study and practice to master. We can't teach you to hack. But we can teach you what we've learned so far. Our courses are honest, real, technical and practical. SensePost willl be at Black Hat Vegas in July. To see what we're about, visit us at: http://www.sensepost.com/training.html ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- This list is sponsored by: Norwich University EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINE The NSA has designated Norwich University a center of Academic Excellence in Information Security. Our program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Using interactive e-Learning technology, you can earn this esteemed degree, without disrupting your career or home life. http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- ADS Password Storage Protection rolando_ruiz (Jul 14)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 14)
- RE: ADS Password Storage Protection rolando_ruiz (Jul 27)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 31)
- RE: ADS Password Storage Protection rolando_ruiz (Jul 27)
- Re: ADS Password Storage Protection Neil (Jul 17)
- Re: ADS Password Storage Protection Eoin Miller (Jul 17)
- <Possible follow-ups>
- Re: RE: ADS Password Storage Protection winshel (Jul 17)
- Re: ADS Password Storage Protection ab (Jul 17)
- RE: ADS Password Storage Protection Depp, Dennis M. (Jul 18)
- Message not available
- RE: ADS Password Storage Protection Harold Winshel (Jul 18)
- RE: ADS Password Storage Protection Depp, Dennis M. (Jul 18)
- Re: ADS Password Storage Protection Stephen John Smoogen (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 14)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 19)