Using passwords as a defense mechanism to improve Windows security (Part 1)

This methodical system conforms to good corporate governance and will leave you in good stead in any situation involving passwords.  The strength of any good password system rests on the way the password policy is enforced.  Windows systems have automatic domain based password policies that make the enforcement of the policy seamless and reliable.

Passwords are typically used as a process to validate a user’s identity when accessing a resource.  Formal processes and procedures should be in place to control password management.  Biometrics is new age passwords and is treated as a more personal way of validating a user.  Eventually biometrics will become the only mode of validation but until that day we are stuck with passwords. The following are some guidelines that should be incorporated into your security policy to ensure that your passwords remain safe.

If you would like to receive an email when the next article in this series is released, subscribe to the WindowSecurity.com Real-Time Article Updates from our Newsletter subscriptions page).

Top 20 password tips that will ensure good password practice and windows security.

1.       Within your IT/IS security policy ensure that it is mentioned that personal passwords are to be kept confidential at all times.  Some organizations include this in the terms of employment and can turn the failure to comply into a major disciplinary offense.

2.       Do not allow users to keep using temporary default passwords ensure that the temporary passwords are changed immediately and that no one else including a member of the IT/IS department knows the password.  When using windows it is imperative that when a user forgets his or hr password that the IT personnel can positively identify the user before unlocking the account with the default password.

3.       Test all users for password strength and ensure that the policies are followed by actively monitoring the situation.  Many users keep their passwords on a post it note stuck to their monitors.  This practice should be dealt with severely as intruders know this and us this a gateway to network information.

4.       Ensure that no passwords are stored in electronic form.  In the event of a successful intrusion further damage can be done if the intruder comes across the password list.

5.       Phone up users and test the policy.  After the user signs the organizations terms of employment they are bound to that policy yet most users will still hand out passwords to computer staff enthusiastically.  Test this as I have personally found that after the user has signed the document not even five minutes later I already have their new password.

6.       Ensure that only administrators and the respective users have the capability to change the respective password.

7.       When there are signs of security compromises change the system passwords.

8.       Ensure that users select quality passwords and that typical user attributes are not used like children’s names dog’s names and other user specific names.  Passwords should be easy to remember, not contain personal data and should not contain consecutive characters like qwerty, 12345, !@#$ and abcd.

9.       Ensure that a change password frequency is policy ad that password changes are forced.  This method ensures that users change their password, however this is the main reason users write their passwords down.

10.   Ensure that passwords are not included in any automated login script macro or function key if an intruder were to get hold of any of these technologies it would be very easy to find the passwords.

11.   Do not allow users to user similar passwords to previous months.  If an intruder does get user password, the intruder will try to gain access to the network using logical pattern this may be the previous password truncated with digit on the end.  12-month increments prove to be acceptable.

12.   Avoid applications that display password information on the screen.

13.   Check for key loggers and make sure that you’re anti virus has most common key loggers in its pattern list.

14.   Ensure that it is clearly stated that passwords may not be saved when using applications and when dialing up to the network as displayed in the picture below.  Intrudes can use these applications to gain access to systems without knowing the passwords.  Some firewalls have this feature and I find this to be convenience over security.  People that auto save passwords on firewalls should not be employed a security department. The diagram below depicts the check box that should be unchecked.

15.   Ensure that default passwords are changed after installing applications and hardware that may have default vendor passwords stored.

16.   Avoid systems that use master passwords.  IE Some applications have backdoor passwords that maybe used if you forget your password Bios manufactures are famous for this type of practice and it should be avoided as it compromises the machine and user data.

17.   Do not allow users to share passwords.  Resources that are protected by passwords are exempt from this rule but the administrator should change the resource password inline with the password change frequency.

18.   Ensure that password validation is required after three minutes of the user not being at his/her workstation.  Intruders can be anyone risks re minimized by auto locking the desktop and requiring validation on the return of the user.  The diagram below displays where this can be set by just checking the check box circled in red.

19.   Simplify password validation to only require one password, the more passwords that are required the more management and security required.  By simplifying the password validation down to one password it provides a higher level of protection.  Admin procedures are exempt from these rules as many quality passwords may be required for added layers of security.

20.   Use windows operating systems that do not store passwords locally and in an unencrypted manner.  This would typically be any operating system that is higher than and including NT4.0.  Windows 95/98 store passwords in files that are easy to decipher.  Windows 95/98 use *.pwl file to store password and these file can be decoded using simple cracking utilities available on the internet.

Know of other possibilities.

If your machine is left unlocked it is possible for an intruder to attempt to create a password reset disk this disk runs through a forgotten Password Wizard that lets you create a password reset disk that can used at a later stage to recover your user account and personalized computer settings if the password is forgotten. Depending if the machine is on a domain or workgroup the procedure is different.  This is very dangerous and can be used against the organization. The password reset disk should be kept in the corporate safe or in a safe place where the intruder can not reach it.  These disks should be treated as sensitive as passwords for they can be used to restore a machine and as a way for the intruder to gain unauthorized access to sensitive data.  However difficult it may seem to run an application when in the background when in the login mode it has recently been discovered that it is possible to do so.  Checking the network machines for key logging applications and hardware is becoming the trend in environments that require a high level of security.  Applications that monitor software and hardware changes are invaluable for this purpose and are recommended in high security environments.  Hardware Key loggers can be plugged in-line with your keyboard to record keystrokes.  The software version is an application that runs in the background as a service after login.

The diagram above represents a hardware key logger installed in an inline system.

By using the following the guidelines you will be:

1. Enforcing accountably in the event of any fraudulent activities or intrusions.

2. Protecting the network form intruders, as passwords are very sought after.

3. Enforcing strong password practices part of good corporate governance in compliance with ISO/IEC 17799:2000(E)

In a windows environment any attempted resource access requires an authentication type.  A permission-based system is pervasive in most windows networked environment and if the incorrect credentials are supplied access to the resource will be denied.  An intruder can leverage on this fact and use this against the corporation.   In this scenario and intruder can recognize that a password policy may exist that will lock out 3-5 login attempts.  Then the intruder will find a resource that the user has access to and run brut force or algorithm based attacks against the permission-protected resource.  The credentials will easily be found in time and your network resource will no longer be safe. 

Passwords are like keys to locks if the intruder has a copy of your key you typically recode the lock to use a new key.  The locking mechanism remains the same.  This reflects the computer password system also.  Leaving a key in a place that an intruder can gain access or copy the key would prove to render the lock useless.  Protect a password like you would protect the keys to you safe.  Ensure that you key is not easy to copy, choose a key that is not easily remembered by other people other than you.  An example would be s3cur1t13 if spelt out of alphanumeric code it would read securitie.  The spelling of his word is deliberately spelt in this manner, to throw intruders off.  It also makes it easier for the user to remember as it has personal reference.

Summary

Passwords are now used as an added layer of security and not as the only security method like in previous years. Times have changed and new password cracking tools have been developed in part B the article will focus on the domain and local user machine and how important it is to enforce the user password policies.  As technology progresses we will see different more secure user validation techniques like biometrics take the lead in the Information technology world.  Digital intelligence will then start to play a bigger part when validating the user and new methods of breaking into the system by exploiting vulnerabilities of the new advanced systems will become evident.  Strong controls and Intrusion detection will help in this scenario.