RE: Highlighting weak password dangers

Passprop.exe will let you enable lockouts for the admin account on
Windows. I ran it on my base image before pushing it up to my RIS
servers.

Kind Regards,
Scott Ramsdell

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On Behalf Of Simon W. Hall
Sent: Wednesday, January 24, 2007 1:15 PM
To: 'WALI'; security-basics@xxxxxxxxxxxxxxxxx
Subject: RE: Highlighting weak password dangers

1.
The Administrators account does not have a lockout policy!
You can just run passwords after passwords on it.
http://technet2.microsoft.com/WindowsServer/en/library/4639940c-74b3-46c
8-b4
97-cdb7666f1e461033.mspx?mfr=true
Rename the administrators account... (security by obscurity)
That will help a bit for outside threats.

2.
To my knowledge, there is no good way to do a password audit on a
windoze
box.
Unless you are going down the rainbow tables path, breaking hashes.
Set up a good password policy, that way you ensure passwords meet a
minimum
requirement.
Make your users change passwords after the policy is in place.

Simon

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx]
On
Behalf Of WALI
Sent: Wednesday, January 24, 2007 6:16 PM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Highlighting weak password dangers



I want to highlight the danger of using weak passwords on servers and
users
admin desktops. I have tested TSgrinder with a basic dictionary Brute
Force
to access Remote Desktop exploit on both servers and desktops. The
problem
here is that when connected to domain, the Account Lockout feature
disables
the account quite soon. I can only show the exploit on machines not
connected to the domain where Domain Security policy doesn't flow down.

What are other interesting and intriguing ways to present this problem?
I
also need a system to do Passwords Audit on my domain and make then
'secure
password' policy compliance.

Relevant Pages

  • Re: Outlook express
    ... I recently purchased a Dell and still want to use Outlook ... no matter what computer you use to access your account. ... still go through all of your accounts with passwords and change them. ... Email goes to your ISP's servers, ...
    (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
  • Re: nessus scan
    ... Null sessions do NOT allow unauthenticated access to data on ... > when XP Pro users try to change their domain passwords at logon. ... > downlevel clients to access those servers. ... > auditing for account logons events and account management on domain ...
    (microsoft.public.win2000.security)
  • Re: Account lockouts
    ... for reusable passwords and the AAA infrastructures that rely upon them? ... In that context, account lockout policy -- duration, threshold, lockout ... > cracking attacks. ...
    (microsoft.public.security)
  • Re: nessus scan
    ... >> when XP Pro users try to change their domain passwords at logon. ... >> downlevel clients to access those servers. ... >> auditing for account logons events and account management on domain ...
    (microsoft.public.win2000.security)
  • Re: MS Exchange Relay Authentication
    ... I've seen this on a few servers in various environments. ... The account was still named Administrator ... It seems that account passwords are being cracked. ...
    (NT-Bugtraq)