Re: Domain Password Security

From: Steven L Umbach (n9rou_at_comcast.net)
Date: 08/15/03


Date: Thu, 14 Aug 2003 22:44:06 GMT


        Cracking software either sniffs password hashes off of the network or
requires physical access to the computer storing the user database. In a domain, that
would mean a domain controller must be physically secured to some degree - at very
minimum a heavy duty locked case with no access to floppy/cdrom drives, etc. and
possibly alarm protected. To protect from password hash sniffing, the administrator
accounts need to use complex passwords and minimum of ntlmv2 should be used for lan
manager authentication level by upgrading any Windows 98 machines with Directory
Services Client and configuring authentication level on Domain Controller Security
policy. You may also want to disable storing of lm password hashes on your domain
controllers if you have all W2K/XP computers. Raising your lockout threshold to ten
would reduce legitimate lockout problems and still be high enough to protect against
brute force attack. Keep in mind that the administrator account can not be locked out
by default. The passprop utility is supposed to be able to allow the administrator
account to be locked out from network logons. It is also good practice to use domain
administrator accounts only when needed to, and to log onto only "trusted/secure"
computers that would not have things like keyboard loggers installed or hidden
cameras nearby. I also recommend you enable auditing of account logon and logon
events on at least your domain controllers for success and failure, and then audit at
least logon event failures on your domain computers. You will need to substantialy
increase the size of your security log - probably 10 meg or so to start. be sure to
read the free Windows 2000 Security Hardening Guide. -- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;299656 --- How to disable
storing LM.
http://security.ziffdavis.com/article2/0,3973,1043101,00.asp --- Link to Windows
2000 SHG

"Miranda" <mir@anda.com> wrote in message
news:009001c3628c$21f9fa40$a501280a@phx.gbl...
> I've enabled a GPO to have my domain accounts locked out
> after 5 invalid logon attempts. Will this prevent someone
> on my internal LAN from running password cracking software
> to try and break my Administrator password?
>
> Thanks,
>
> Miranda