Re: Domain Password Security
From: Miranda (mir_at_nda.com)
Date: 08/15/03
- Next message: umesh: "microsoft millenium"
- Previous message: devon: "SLOW computer after downloading security patch"
- In reply to: Steven L Umbach: "Re: Domain Password Security"
- Next in thread: argnoowarp: "Re: Domain Password Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 15 Aug 2003 06:43:00 -0700
>-----Original Message-----
> Cracking software either sniffs password hashes
off of the network or
>requires physical access to the computer storing the user
database. In a domain, that
>would mean a domain controller must be physically secured
to some degree - at very
>minimum a heavy duty locked case with no access to
floppy/cdrom drives, etc. and
>possibly alarm protected. To protect from password hash
sniffing, the administrator
>accounts need to use complex passwords and minimum of
ntlmv2 should be used for lan
>manager authentication level by upgrading any Windows 98
machines with Directory
>Services Client and configuring authentication level on
Domain Controller Security
>policy. You may also want to disable storing of lm
password hashes on your domain
>controllers if you have all W2K/XP computers. Raising
your lockout threshold to ten
>would reduce legitimate lockout problems and still be
high enough to protect against
>brute force attack. Keep in mind that the administrator
account can not be locked out
>by default. The passprop utility is supposed to be able
to allow the administrator
>account to be locked out from network logons. It is also
good practice to use domain
>administrator accounts only when needed to, and to log
onto only "trusted/secure"
>computers that would not have things like keyboard
loggers installed or hidden
>cameras nearby. I also recommend you enable auditing of
account logon and logon
>events on at least your domain controllers for success
and failure, and then audit at
>least logon event failures on your domain computers. You
will need to substantialy
>increase the size of your security log - probably 10 meg
or so to start. be sure to
>read the free Windows 2000 Security Hardening Guide. --
Steve
>
>http://support.microsoft.com/default.aspx?scid=kb;en-
us;299656 --- How to disable
>storing LM.
>http://security.ziffdavis.com/article2/0,3973,1043101,00.a
sp --- Link to Windows
>2000 SHG
>
>"Miranda" <mir@anda.com> wrote in message
>news:009001c3628c$21f9fa40$a501280a@phx.gbl...
>> I've enabled a GPO to have my domain accounts locked out
>> after 5 invalid logon attempts. Will this prevent
someone
>> on my internal LAN from running password cracking
software
>> to try and break my Administrator password?
>>
>> Thanks,
>>
>> Miranda
>
>
>.
>Thanks for the response! Your reply was very helpfull.
Miranda.
- Next message: umesh: "microsoft millenium"
- Previous message: devon: "SLOW computer after downloading security patch"
- In reply to: Steven L Umbach: "Re: Domain Password Security"
- Next in thread: argnoowarp: "Re: Domain Password Security"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
