Re: Expire or not expire?

From: "Florian Frommherz [MVP]" <florian@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Date: Mon, 17 Dec 2007 16:19:14 +0100

Howdie!

Anteaus schrieb:

I have never understood Microsoft's policy of forcing password changes, and on 2003 server of demanding passwords of insane complexity.

Insane? Could you please elaborate what - with this complexity - is insane?

.....yet, of having a default which gives no protection against brute-force attack. The first line of protection should be against brute-force attack, and this requires that a bad-logon count and banning interval are set. If an

It's not only attacks that come online where a guy sits in front of a computer or queries AD for logon attempts - it's offline attacks as well where you can re-calculate a user's passwords offline (without domain machine and DC interaction) if the password is too short - given the possibility you can sniff the network a little.

intruder can only enter (say) five passwords every fifteen minutes, then a brute-force attack on even a weak password will take a very long time. Even

....if and only if the intruder tries that online.

better is if the Admin is notified that repeated lockouts are happening, in which case the brute-force attack is unlikely to get very far at all.

A reporting mechanism would need a third party application, since WS 2003 doesn't support that by default.

What's worse about the default is that it gives no indication of the presence of the 'ticking password-bomb' on the computer until a few days before expiry. This can cause major problems for overseas workers, since the password cannot be changed away from the domain.

14 days is a good time frame for people. Most enterprises use Exchange or provide a VPN dial in mechanism which enables people to see when their passwords expire. For those who have not, there's an option to change the default reminder days count - but I agree with you, off-the-road users are always a problem (not to stick with this issue, only).

--
Microsoft MVP - Windows Server - Group Policy.
eMail: prename [at] frickelsoft [dot] net.
blog: http://www.frickelsoft.net/blog.
.

Prev by Date: Re: time is 11pm
Next by Date: Re: Something Not Rigth!
Previous by thread: Re: Expire or not expire?
Next by thread: Re: Expire or not expire?
Index(es):
- Date
- Thread

Relevant Pages

RE: VmWare and Pen-test Learning
... Setup a tftp server on your client machine. ... Use John the Ripper to crack the passwords. ... (dictionary attacks, brute force, single mode). ... Download FREE whitepaper on how a managed service can help ...
(Pen-Test)
Re: Strange SSID in the air...
... the cable modem assigning Gateway+DNS to the Linksys router etc.)? ... to verify that DNS lookups actually point to the real web site. ... from overloading one server, while another remains under-utilized. ... dumb applications that are not very smart about encrypting passwords. ...
(alt.internet.wireless)
Re: unified authentication
... > I have a number of FreeBSD machines. ... Each *class* of server or device gets a different root password (or ... root/enable passwords, and have a bit less worry about ex-employees. ... only sysadmins have logins on routers.) ...
(FreeBSD-Security)
Re: Strange SSID in the air...
... the cable modem assigning Gateway+DNS to the Linksys router etc.)? ... to verify that DNS lookups actually point to the real web site. ... from overloading one server, while another remains under-utilized. ... dumb applications that are not very smart about encrypting passwords. ...
(alt.internet.wireless)
RE: Where are Local Passwords stored on Win2K
... This should restrict the likely hood of have access to multiple server if one is to get compromised. ... Where are Local Passwords stored on Win2K ... compromises within our network. ...
(Security-Basics)