Re: Domain Password Security

From: Steven L Umbach (
Date: 08/15/03

Date: Thu, 14 Aug 2003 22:44:06 GMT

        Cracking software either sniffs password hashes off of the network or
requires physical access to the computer storing the user database. In a domain, that
would mean a domain controller must be physically secured to some degree - at very
minimum a heavy duty locked case with no access to floppy/cdrom drives, etc. and
possibly alarm protected. To protect from password hash sniffing, the administrator
accounts need to use complex passwords and minimum of ntlmv2 should be used for lan
manager authentication level by upgrading any Windows 98 machines with Directory
Services Client and configuring authentication level on Domain Controller Security
policy. You may also want to disable storing of lm password hashes on your domain
controllers if you have all W2K/XP computers. Raising your lockout threshold to ten
would reduce legitimate lockout problems and still be high enough to protect against
brute force attack. Keep in mind that the administrator account can not be locked out
by default. The passprop utility is supposed to be able to allow the administrator
account to be locked out from network logons. It is also good practice to use domain
administrator accounts only when needed to, and to log onto only "trusted/secure"
computers that would not have things like keyboard loggers installed or hidden
cameras nearby. I also recommend you enable auditing of account logon and logon
events on at least your domain controllers for success and failure, and then audit at
least logon event failures on your domain computers. You will need to substantialy
increase the size of your security log - probably 10 meg or so to start. be sure to
read the free Windows 2000 Security Hardening Guide. -- Steve;en-us;299656 --- How to disable
storing LM.,3973,1043101,00.asp --- Link to Windows
2000 SHG

"Miranda" <> wrote in message
> I've enabled a GPO to have my domain accounts locked out
> after 5 invalid logon attempts. Will this prevent someone
> on my internal LAN from running password cracking software
> to try and break my Administrator password?
> Thanks,
> Miranda

Relevant Pages

  • Re: Custom rights
    ... By default any user can log onto a server other than domain controller. ... allow then to logon to a domain controller give them the logon locally user ... To add computers to the domain go to AD Users and Computers. ... > Look into AD delegation, though you may need to do some custom delegation. ...
  • Re: Domain Password Security
    ... Domain Controller Security ... >controllers if you have all W2K/XP computers. ... >administrator accounts only when needed to, ... account logon and logon ...
  • Re: Domain unavailable for some logons
    ... You probably have a dns problem and the computer that you can not logon to ... with the domain account can not find the domain controller. ... > couple logon accounts for most of the 25 PC's. ...
    ... It's a pain maintaining six accounts (and making sure passwords match ... constantly) on both computers. ... from the domain controller instead of a local account directory. ... I hate spam - PLEASE get rid of the spam before emailing me! ...
  • Logon Server Unavailable
    ... I have 2 win2000Pro computers on a seperate subnet that can no longer locate ... "No Windows NT or Windows 2000 Domain Controller is available for domain ... There are currently no logon ...