Re: Secure passwords?
From: Invisible (orphi69_at_hotmail.com)
Date: 06/19/03
- Next message: Nir B: "Permissions Issue"
- Previous message: Invisible: "Re: Permissions to old files"
- In reply to: Steven L Umbach: "Re: Secure passwords?"
- Next in thread: Steven L Umbach: "Re: Secure passwords?"
- Reply: Steven L Umbach: "Re: Secure passwords?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 19 Jun 2003 03:27:43 -0700
>Looks like a good password to me.
Me too.
> The problem is to have good
>passwords on ALL administator accounts and control them
well, and never use
>the same password for a local account as an domain
account.
Are you suggesting we have different local administrator
passwords for EVER SINGLE COMPUTER in the entire domain?
That might take some doing... (Still, the domain admin
passwords will get used much more than the local admin
ones I guess...)
Do local administrator accounts actually confer much power
upon their owners? (Other than the obviouse ability to
totally destroy a single computer.)
>Make sure that
>the administrators use their accounts only when they have
to or use runas
>when necessary and if possible only on specific secured
machines, and never
>while on the internet.
Sadly, I suspect RunAs doesn't work for Windows NT... But
anyway, yes, the idea is to use admin-level accounts
sparingly. There is only 1 administrator other than me,
and he will probably almost never use his account.
As for "never while on the internet"... well... our LAN is
hardwired to it. Go figure.
>Consider using alt characters in passwords such as £
>or ?.
OK. Hold down shift and run you finger along the top row
of your keyboard and you can get all sorts of stuff! (Oh,
mind you, some peeps reading this might be using those
strange American keyboards...)
> Physical security is of prime importance to protect
passwords. If an
>attacker can get physical access to a domain controller,
then all bets are
>off.
Well, I mean let's face it, if an attacker can get to the
server itself, they don't NEED any passwords to hit it
with a sladgehammer. That's why ours are in a locked room.
(Mmm... really must do something about ventilation tho!)
>Even though it is of debated use, consider renaming the
administrator
>account and create a "dummy" administrator account that
you could monitor
>for attacks.
Well... I wonder if it's worth it... I could do this for
Administrator and Guest... but what would I rename them
to? Presumably for it to be of any value, I would have to
rename them to plausible user names so no one will be able
to easily guess them.
But then, that have predetermined SIDs don't they? Does
the DC even know what username you asked for, or is it
just the SID? If so, all you need is the SID to log in...
>There are tools such as LC4 that can find out user
passwords,
>given enough time.
You can factorize a 8192-bit composite number into its
prime factors, given enough time... I believe it was 27-
billion times the estimated age of our universe? (Or
something equally stupid.)
Account lockout procedures are supposed to block password
guessing. How effective is this? It is possible to break
NT's authentication by sniffing the network and cracking
the password offline? (In a practical amount of time.)
Thanks.
- Next message: Nir B: "Permissions Issue"
- Previous message: Invisible: "Re: Permissions to old files"
- In reply to: Steven L Umbach: "Re: Secure passwords?"
- Next in thread: Steven L Umbach: "Re: Secure passwords?"
- Reply: Steven L Umbach: "Re: Secure passwords?"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
