RE: ADS Password Storage Protection
- From: "Roger A. Grimes" <roger@xxxxxxxxxxxxxx>
- Date: Fri, 14 Jul 2006 13:36:47 -0400
Passwords are stored in local SAM or Active Directory database (NTDS.DIT
file). To prevent Windows password hacking, follow these steps:
1. Disable the storage of the Lan Manager password hashes (can be done
by a regedit or group policy)
2. Use long passwords. Forget complexity, go long. To make them
uncrackable, go 15 characters or more. Most users should be 12+
characters, but admin accts, 15 characters+.
3. Disable booting on anything besides the primary boot partition and
password-protect the boot up order.
4. Disable LM and NTLMv1 authentication (regedit or GPO).
Doing #1 and #2 will give you significant protection. After that social
engineering attacks and keylogging trojans are your biggest fears. But
you'll be 99% more protected than you were before.
If you're running nix boxes, convert your password hashes to
bcrypt-type, otherwise follow the same rules, #1-#3.
Roger
*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes@xxxxxxxxxxxxx or roger@xxxxxxxxxxxxxx
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************
-----Original Message-----
From: rolando_ruiz@xxxxxxxxxxxxxxx [mailto:rolando_ruiz@xxxxxxxxxxxxxxx]
Sent: Friday, July 14, 2006 9:47 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: ADS Password Storage Protection
I'm looking for best practice ways of protecting access to password
storage in Active Directory. I have some immediate questions:
Where exactly are passwords kept?
Are these passwords kept in plain text?
How can I protect these passwords from being hacked? (Encryption,
restrictions, etc...)
Thank you in advanced
________________________________
Jet Aviation Holdings, Inc.
Rolando Ruiz
------------------------------------------------------------------------
---
This list is sponsored by: SensePost
Hacking, like any art, will take years of dedicated study and practice
to master. We can't teach you to hack. But we can teach you what we've
learned so far. Our courses are honest, real, technical and practical.
SensePost willl be at Black Hat Vegas in July. To see what we're about,
visit us at:
http://www.sensepost.com/training.html
------------------------------------------------------------------------
---
---------------------------------------------------------------------------
This list is sponsored by: SensePost
Hacking, like any art, will take years of dedicated study and
practice to master. We can't teach you to hack. But we can teach you
what we've learned so far. Our courses are honest, real, technical
and practical. SensePost willl be at Black Hat Vegas in July. To see
what we're about, visit us at:
http://www.sensepost.com/training.html
---------------------------------------------------------------------------
- Follow-Ups:
- RE: ADS Password Storage Protection
- From: rolando_ruiz
- RE: ADS Password Storage Protection
- References:
- ADS Password Storage Protection
- From: rolando_ruiz
- ADS Password Storage Protection
- Prev by Date: Re: Legendary Hacker Kevin Mitnick on malware and social engineering
- Next by Date: RE: Backup Errors
- Previous by thread: ADS Password Storage Protection
- Next by thread: RE: ADS Password Storage Protection
- Index(es):
Relevant Pages
|
|
