Re: windows 2003 server

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Nicolas RUFF wrote:
I have a win2003 server that I have been asked to test its password
policy. I am new to this and was wondering what would be the best
approach to gain access? It is in my local network and will be
segregated from the rest of the network for testing. I would be using a
remote machine to log in and not locally. What would be your suggestions?

Password policy can be found in Administrative Tools/[Local | Domain]
Security Policy.

What do you mean by "testing password policy" ?

Why do you need to gain access ? You'd better ask for an administrative
account and dump the SAM file into a password cracker (like LCP).

Given the default security policy of W2003 (anonymous account
enumeration blocked, password length over 7 and mixed characters
required), your chances to break in remotely without any additional
information are near zero.

Regards,
- Nicolas RUFF

First, we are trying to lock down our servers. I came into this after
they had these server up for a few years, so you can see my work
is cut out for me. I just wanted the best ways to test to make sure
most users cannot get where they are not suppose to be. Current
password policy is 8 characters, upper lower number.

thanks
Chris Parker

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.6 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFF+yUmfnAfmpxxbc4RAq0rAKCkFoXkcXBGg2beTtt+8QuIH5fZ6wCcDdex
0SSUbEobSwYzWPXCWTWCxss=
=HwKs
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This List Sponsored by: Cenzic

Need to secure your web apps?
Cenzic Hailstorm finds vulnerabilities fast.
Click the link to buy it, try it or download Hailstorm for FREE.

http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
------------------------------------------------------------------------

Relevant Pages

  • Re: 2003 Domain Password Policy with NT 4.0 Workstations
    ... The only way to exclude users from adhering to the domain password policy is ... > running Windows NT 4.0, so would the following scenario work? ... Modify the Default Domain Policy and remove the Account ...
    (microsoft.public.windows.server.active_directory)
  • Re: Reasons and examples for security
    ... > One thing that is totally unneeded but which would facilitate ... > is if there were some champion in MS to take up getting a ... > mod to the gina so that there were a password policy to ... > on length minimum and relationship with complexity policy). ...
    (microsoft.public.security)
  • Re: GPO configuration
    ... > There natively is no possible way to override/bypass domain password policy ... > GPO's for password/account policy. ... >> does an account/password policy applied at the domain level override OU ... I thought the lower GPO policies would overwrite the upper levels ...
    (microsoft.public.cert.exam.mcse)
  • Re: Different password policys?
    ... If you set Password Policy at the OU level, it will only affect the SAM ... database (ie local users) on any machines in that OU. ...
    (microsoft.public.win2000.security)
  • Re: Password policy
    ... Make sure that you configure domain password policy at the domain level ... Group Policy in the domain container then the Group Policy at the top of the ...
    (microsoft.public.windows.server.security)