One area of security that you can make a big difference is in setting a secure password policy for your company. Password policy is important because unlike simple denial of service attacks, where attacks can take a service offline for a while, a compromised password can allow the attack to impersonate the legitimate user and fully leverage the rights and permissions of that legitimate user. If the user happens to be a high privileged user, then the potential for disaster is high.
There are some things that you can do to help prevent compromised passwords in your firm:
- Make sure that users use passwords that are long enough to thwart hackers. Length of password can depend on the type of user. A user with low privileges could use a 6 character password while an admin should be required to use a password of at least 15 characters
- Force users to use passwords from different character sets. It’s a lot easier to break passwords that just use lower case letters. Harder if they use upper and lower case letters, and exponentially harder if they use upper and lower case letters and numbers. Force users to use at least two character sets when creating passwords
- Make sure that users do not use passwords contained in a hacking dictionary. This will force hackers to use other, more time consuming methods to break your passwords. You will need to scan your password database to check this, and use special tools, such as nFront to make this kind of check
- To be even more effective, force users to not use passwords that are variations of passwords contained in hacking dictionaries. For example, a password of [email protected]@mom is not effective. Again, a scan of your password database using tools to search for these patterns will needed to confirm that you don’t have users deploying these relatively easy to crack passwords
- Rainbow tables can very quickly crack passwords that are 14 or fewer characters. For this reason, you should turn off LM hashes and also make sure that high value users use passwords that are at least 15 characters. For example, all administrators and C-level employees should have passwords of at least 15 characters.
- Guard against cached log ons on workstations. By default, Windows client systems log credentials of the last 10 log ons. You can configure the Registry to block storage of log on information. In addition, avoid logging on as a domain admin on workstations, which are more likely to be compromised than servers, to prevent caching of domain admin credentials on those machines
- Also, do not provide users local admin access to their machines. This will prevent local admin credentials to be captured from the cache on those machines
- Encourage users to use “passphrases” which are simply long passwords that provide some meaning to the user. For example, users can remember long passwords such as “My first Elementary School was Santa Monica School for the Gifted and Rich in Santa Monica, California, 90250”. That is very long, but shorter than the 127 character limit available in Windows XP and later versions of Windows (actually, these long passwords were supported in Windows 2000). Of course, passwords of this length can be problematic from a typo point of view, but you get the idea.
Those are just a few things you can do to make a more secure password policy. In order to enforce password policies, you can use built in Windows Server 2008 tools. However, built in tools are limited in terms in enforcing the type of password complexity and protection against dictionary attacks. For more robust password policy support, you might want to consider using tools such as nFront from www.nfrontsecurity.com
Thomas W Shinder, M.D.
GET THE NEW BOOK! Go to http://tinyurl.com/2gpoo8
Email: [email protected]
MVP – Microsoft Firewalls (ISA)