Re: Best explanation of W2000 security structure, passwords, logins, etc?

From: Steven L Umbach (n9rou_at_comcast.net)
Date: 09/29/03 

Date: Sun, 28 Sep 2003 23:27:26 GMT

Passwords are used of course to protect computers and network resources. A home
environment is a bit different than the typical office/etc in that users are probably
all trusted. If you want to assign different passwords to each user, then you will
need to have a user account on each computer that you wan to allow that user to have
access to even if it is network resources unless you enable the guest account which I
do not recommend.

Good password policy is a muti part process that may involve defining how long the
password must be, it's complexity, how long it is good for, and how soon it can be
reused. Another important part is the lockout policy which dictates if an account can
be locked out after a certain number of bad guesses and how long it stays locked out
for. For your situation, a lockout threshold of 10 and a lockout period of 5 minutes
should be plenty good to protect your computers from brute force or dictionary
attacks. Home network users should generally not need to change their password very
often unlike a business environment unless you feel your computers have been
compromised. Enabling auditing of account logon and logon events for success and
failure may be helpful also to see who is using computers and when and if someone is
trying to access an account that they should not be doing.

A properly configured firewall should keep your network safe from hackers trying to
guess your passwords to gain access, especially if you do not have any hole opened in
it for access to any services on your network. You can go to
http://scan.sygatetech.com/ to do a basic vulnerability assessment of your firewall.

The administrator account is of special importance and is the top target for hackers
and even some trojans because of it's power and the fact that it can not be locked
out - at least for interactive logon. It can be locked out for network logon with the
passrop Resource Kit utility. Because of it's special significance, the administrator
account should be renamed and given a complex password, maybe something like Tl8y$g5!
for your home network. An actual domain administrator password would even need to be
much more complex. It is also good practice to avoid logging on with an
administrator account unless you need to use it for some particular reason. But again
for a home user that is not as important [though it is more of a risk if a trojan
shows up] and I am guilty of always using mine. --- Steve

http://tinyurl.com/gt83
http://www.securityfocus.com/infocus/1554/

"Pollock" <mm-p@bigfoot.com> wrote in message
news:37e363c4.0309271807.6667fd3f@posting.google.com...
> What is the best available explanation of W2000's password security
> structure, i.e., how to administer passwords?
>
> Tony Northrup has an article on
> http://www.eu.microsoft.com/technet/security/protech/network/firewalls.
> But though this seems good, it is frankly not very usable, since it
> wouldn't print (diagrams disappear), or save (same problem).
> Microsoft newsgroups isn't much help either, it doesn't alert when
> there's an answer to a posting. Who remembers to what group they
> posted? Clearly, I need some other source of information on W2000
> passwords/security.
>
> Any good suggestions? Where I can get a crash-course in the
> password/security aspect of W2000?
>
> (I have a home network with a router, and four W2000 computers. To
> date, we've got by without passwords or logins. This now seems
> unacceptably risky. But without understanding W2000's security
> system, I'm loath to assign passwords. I simply don't understand the
> system-wide implications, i.e., how it would impact my day-to-day
> usage).

Relevant Pages

  • Re: Security Concern
    ... local administrator access on that machine. ... Obtaining passwords can happen a ... network or from the internet if connected. ... You want to get all computers up to ntlm v2. ...
    (microsoft.public.win2000.security)
  • Re: What does logon type mean???
    ... Run XP's Network Setup Wizard on that computer -- that's ... ntrights +r SeNetworkLogonRight -u Guest ... The commands that I gave don't add passwords to any ... The only account that I suggested for those commands is the Guest ...
    (microsoft.public.windowsxp.network_web)
  • Re: Netowrk Admin. Breach
    ... attack, but at the time it was a little beyond me. ... But my approach to network security is similar to his.....I look at ... no business knowing any of your sensitive passwords. ... demonstrated that using an account with no privs. ...
    (microsoft.public.windows.server.security)
  • Re: LAN problem: cant browse network computers
    ... was created when you computers were set up. ... Likewise, there are no passwords. ... Network Access – Let everyone permissions apply to anonymous users – Enable ... My Network Places> View Network Connections> ...
    (microsoft.public.windowsxp.network_web)
  • Re: Networking Vista and XP
    ... About 4 or 5 weeks ago, a lot of people were making posts describing their problems successfully achieving file sharing in Vista (especially between Vista and XP computers, in both directions) and asking for help. ... this is caused by a "feature" that exists in both XP and Vista involving zero-length passwords. ... Media Center and Vista will not allow network access to network computers that have zero-length passwords. ...
    (alt.sys.pc-clone.dell)
Loading