Previous posts
Generate strong passwords automaticallyWindows Creating Strong Passwords
Windows Using Passwords Effectively
saved passwords and form data in Internet Explorer
Advanced Security Options
Create a Backup
Use Your Screen Saver as a Security Device
Review All Network Shares
Review NTFS Permissions on All Data Directories
Use NTFS for All Drives
Friends
mercredi 30 janvier 2008
Establishing and Enforcing Password Policies
To ensure that you and other users on your network don't leave the password door wide open, you should establish (and follow!) some effective logon password policies and guidelines. As we explain here, you can use security settings in Windows to enforce some of these policies; for others, user education is the key.
For best security, we recommend the following:
A password should be required for all user accounts. At the very least, enforce this rule for members of the Administrators group.
Passwords must be at least eight characters long. Shorter passwords are more easily cracked.
INSIDEOUT
--------------------------------------------------------------------------------
Use at least 15 characters for best security
In Windows XP and Windows 2000, passwords can be up to 127 characters long. (In Microsoft Windows NT, the limit was 14 characters.) Longer passwords become exponentially more difficult to crack, but they have another seldom-documented benefit. The LAN Manager (LM) password hash, a relatively insecure method of storing passwords used in early network operating systems, is stored incorrectly in Windows XP/2000 if the password is at least 15 characters long. An identical LM hash value is used for any password longer than 14 characters. This little-known fact was discovered by Urity of Security Friday (http://www.securityfriday.com).
As a result, any password cracker that relies on LM hash extraction (as do many of those we discuss later in this chapter) will not work. Similarly, if an attacker coaxes your computer to log on using weak LM authentication, your password will not be exposed. (Windows 2000 falls back to LM authentication if Kerberos V5 or NTLM are unavailable; for details, see Controlling the Logon and Authentication Process.)
Unfortunately, you can't use password policies (discussed next) to enforce a 15-character minimum length. You can't specify a minimum length greater than 14 characters.
Passwords must be complex. They should contain characters of at least three of these four types: uppercase letters, lowercase letters, numerals, and symbols. This stymies dictionary attacks, causing password crackers to rely on brute-force methods or other techniques.
TIP
--------------------------------------------------------------------------------
Use spaces
You can use any character in a Windows logon password, including spaces. With one or more spaces in a password, it's easier to come up with a long yet memorable password; you might even incorporate several words separated by spaces and other symbols. Don't use a space as the first or last character of your password, however; some applications trim spaces from these positions.
Passwords should not contain any form of your name or user name. Because so many users have passwords based on this weak scheme, password-cracking programs are trained to try these variants very early in the process.
Passwords should be changed at least every 90 days. The attacker's best friend is time. When dictionary attacks don't work, a determined thief can use brute-force techniques to try every combination of letters, numbers, and characters in the hope of finding one that works. This task can take months, but it will eventually pay off if you never change your password.
Passwords should not be written down and stored in plain view. Not all attacks come from scurrilous characters connected to your computer only by the Internet. If your password is written on a sticky note and stuck to your monitor, anyone who walks by your computer can copy it.
Even if you convince everyone who uses your computer to use passwords, you can be sure that they won't always follow the secure practices of creating strong passwords and changing them often. To be sure that these guidelines are followed (except for the last one, which relies on user education and monitors that repel sticky notes), you can set security policies using the Local Security Settings console.
To start Local Security Settings, type secpol.msc at a command prompt. To see the policies that set password behavior for all accounts, open Security Settings\Account Policies\Password Policy. Double-click a policy to set its value, as shown in Figure 3-10. Table 3-3 explains each policy.
Figure 3-10. Local Security Settings lets you impose password policies on all local user accounts.
Table 3-3. Password Policies
Policy Description
Enforce password history
Specifying a number greater than 0 (the maximum is 24) causes Windows to remember that number of previous passwords and forces users to pick a password different from any of the remembered ones.
Maximum password age
Specifying a number greater than 0 (the maximum is 999) dictates how many days a password remains valid before it expires. (To override this setting for certain user accounts, open the account's properties dialog box in Local Users And Groups and select the Password Never Expires check box.) Selecting 0 means passwords never expire.
Minimum password age
Specifying a number greater than 0 (the maximum is 999) lets you set the number of days a password must be used before a user is allowed to change it. Selecting 0 means that users can change passwords as often as they like.
Minimum password length
Specifying a number greater than 0 (the maximum is 14) forces passwords to be longer than a certain number of characters. Specifying 0 permits users to have no password at all. Note: Changes to the minimum password length setting do not apply to current passwords.
Password must meet complexity requirements
Enabling this policy requires that new passwords be at least six characters long; that the passwords contain a mix of uppercase letters, lowercase letters, numbers, and symbols (at least one character from three of these four classes); and that the passwords not contain the user name or any part of the full name. Note: Enabling password complexity does not affect current passwords.
Store password using reversible encryption for all users in the domain
Enabling this policy effectively stores passwords as clear text instead of encrypting them, which is much more secure. You almost certainly do not want to enable this policy, which is provided only for compatibility with a few older applications.
TIP
--------------------------------------------------------------------------------
If you use password history, you should also set a minimum password age. Otherwise, users can defeat the password history feature by quickly changing the password a number of times and then returning to the current password.
To ensure that you and other users on your network don't leave the password door wide open, you should establish (and follow!) some effective logon password policies and guidelines. As we explain here, you can use security settings in Windows to enforce some of these policies; for others, user education is the key.
For best security, we recommend the following:
A password should be required for all user accounts. At the very least, enforce this rule for members of the Administrators group.
Passwords must be at least eight characters long. Shorter passwords are more easily cracked.
INSIDEOUT
--------------------------------------------------------------------------------
Use at least 15 characters for best security
In Windows XP and Windows 2000, passwords can be up to 127 characters long. (In Microsoft Windows NT, the limit was 14 characters.) Longer passwords become exponentially more difficult to crack, but they have another seldom-documented benefit. The LAN Manager (LM) password hash, a relatively insecure method of storing passwords used in early network operating systems, is stored incorrectly in Windows XP/2000 if the password is at least 15 characters long. An identical LM hash value is used for any password longer than 14 characters. This little-known fact was discovered by Urity of Security Friday (http://www.securityfriday.com).
As a result, any password cracker that relies on LM hash extraction (as do many of those we discuss later in this chapter) will not work. Similarly, if an attacker coaxes your computer to log on using weak LM authentication, your password will not be exposed. (Windows 2000 falls back to LM authentication if Kerberos V5 or NTLM are unavailable; for details, see Controlling the Logon and Authentication Process.)
Unfortunately, you can't use password policies (discussed next) to enforce a 15-character minimum length. You can't specify a minimum length greater than 14 characters.
Passwords must be complex. They should contain characters of at least three of these four types: uppercase letters, lowercase letters, numerals, and symbols. This stymies dictionary attacks, causing password crackers to rely on brute-force methods or other techniques.
TIP
--------------------------------------------------------------------------------
Use spaces
You can use any character in a Windows logon password, including spaces. With one or more spaces in a password, it's easier to come up with a long yet memorable password; you might even incorporate several words separated by spaces and other symbols. Don't use a space as the first or last character of your password, however; some applications trim spaces from these positions.
Passwords should not contain any form of your name or user name. Because so many users have passwords based on this weak scheme, password-cracking programs are trained to try these variants very early in the process.
Passwords should be changed at least every 90 days. The attacker's best friend is time. When dictionary attacks don't work, a determined thief can use brute-force techniques to try every combination of letters, numbers, and characters in the hope of finding one that works. This task can take months, but it will eventually pay off if you never change your password.
Passwords should not be written down and stored in plain view. Not all attacks come from scurrilous characters connected to your computer only by the Internet. If your password is written on a sticky note and stuck to your monitor, anyone who walks by your computer can copy it.
Even if you convince everyone who uses your computer to use passwords, you can be sure that they won't always follow the secure practices of creating strong passwords and changing them often. To be sure that these guidelines are followed (except for the last one, which relies on user education and monitors that repel sticky notes), you can set security policies using the Local Security Settings console.
To start Local Security Settings, type secpol.msc at a command prompt. To see the policies that set password behavior for all accounts, open Security Settings\Account Policies\Password Policy. Double-click a policy to set its value, as shown in Figure 3-10. Table 3-3 explains each policy.
Figure 3-10. Local Security Settings lets you impose password policies on all local user accounts.
Table 3-3. Password Policies
Policy Description
Enforce password history
Specifying a number greater than 0 (the maximum is 24) causes Windows to remember that number of previous passwords and forces users to pick a password different from any of the remembered ones.
Maximum password age
Specifying a number greater than 0 (the maximum is 999) dictates how many days a password remains valid before it expires. (To override this setting for certain user accounts, open the account's properties dialog box in Local Users And Groups and select the Password Never Expires check box.) Selecting 0 means passwords never expire.
Minimum password age
Specifying a number greater than 0 (the maximum is 999) lets you set the number of days a password must be used before a user is allowed to change it. Selecting 0 means that users can change passwords as often as they like.
Minimum password length
Specifying a number greater than 0 (the maximum is 14) forces passwords to be longer than a certain number of characters. Specifying 0 permits users to have no password at all. Note: Changes to the minimum password length setting do not apply to current passwords.
Password must meet complexity requirements
Enabling this policy requires that new passwords be at least six characters long; that the passwords contain a mix of uppercase letters, lowercase letters, numbers, and symbols (at least one character from three of these four classes); and that the passwords not contain the user name or any part of the full name. Note: Enabling password complexity does not affect current passwords.
Store password using reversible encryption for all users in the domain
Enabling this policy effectively stores passwords as clear text instead of encrypting them, which is much more secure. You almost certainly do not want to enable this policy, which is provided only for compatibility with a few older applications.
TIP
--------------------------------------------------------------------------------
If you use password history, you should also set a minimum password age. Otherwise, users can defeat the password history feature by quickly changing the password a number of times and then returning to the current password.
Libellés : Enforcing, Establishing, Password, Policies
0 Comments:
Funny Blogs
Blogger Roll
Free Software
