Using passwords as a defense mechanism to improve Windows security (Part 2)
Types of password security policies available:
- Enforce password history: this type of policy does not allow a user to reuse a previously used password. When setting up the policy one must enter the number of previous passwords to refer to in history, this number determines the number of new passwords that must be put to practice before the previous password can be used once again. This policy also ensures that the user is not changing the password to the same password as before.
Maximum password age: this policy determines how frequent the passwords should be changed; a number of days can be selected for best results. It is recommended that a period not exceeding 30 day be chosen.
Minimum password age: this policy determines the minimum amount of days that a password must be used for before a new password can be utilized. The advantage of his is that it ensures that intruder will be noticed if he changes the password as he will lock out the real user and then the password will not be able to be changed by the user exposing the intruder. Set this range to one day less than the maximum password age for the best protection.
Minimum password length: this policy predetermines the minimum number of characters to be used for passwords, it is recommended that at least eight characters be used as this challenges brute force password cracking applications. Please note that as silicon processors get faster and systems improve so do the effectiveness of eh password-cracking tools. Earlier Pentium systems would take at least six to eight hours to crunch through an eight-character password. Newer Pentium 4 systems crunch through these same functions in much less time making the task easier and more viable for the intruder.
Passwords should always meet complexity requirements: this password rule is enforced when creating passwords therefore bringing about extra security by using a password.
Rules are as follows:
- Password must have a minimum of eight characters and must also include a minimum of three of the following:
- uppercase letters
- lowercase letters
- Numerals and non-alphanumeric characters.
- Password is not allowed to include the logon name
- The users name cannot be included in the password.
- Store password using reversible encryption for all users in the domain: this policy does not strengthen the security but is an option as I t is essential for the applications that require knowledge of the user passwords. The passwords are not secure as they are stored in active directory where all can see them.
Password policies can be set for a individual computer, especially useful when machines hold confidential information, or can be set for a domain.
Setting password policies for a domain.
1. Open the Active Directory Users and Computers snap- in, in the MMC. In the console pane a right click the domain object then click on Properties.
2. Now click the Group Policy tab select Default Domain Policy and then click on Edit.
3. Select Windows Settings then select Security Settings then select Account Policy then click on Password Policy. The available options will be displayed in the right hand side pane.
You should now be able to set all the options as displayed in the policy window just by double clicking the object.
Local machine password policies
1. In Control Panel click on Administrative Tools.
2. Then click on Local Security Policy.
3. You should be presented with this screen. Click on Account Policies and then click on Password Policies. In the right hand pane the same options will be reflected as in the domain policy screen.
Password security policies for an individual computer is defined by default but a policy which has been set for a domain takes preference over the one set for the individual computer. In order to put your newly set policy to use the computer on which the policy was set must first be restarted, this will also allow you to se the alterations that have been made to the security settings.
More about strong passwords
Strong passwords provide such an excellent security means, that it only seems wise to put more emphasis on them especially. Knowing how to go about utilizing them to their maximum potential can prove very beneficial to any organization. The properties of strong passwords are such that they comply with rules that are laid down which have to be abided by when forming a password for use, it is these rules that ensure that the security is upheld.
The rules should be enforced to decrease the probability of password guessing as well as the ability of software to obtain the password through random seeking. If the rules are carefully formulated it will become apparent to the intruder that password cracking is too challenging and the intruder is deterred and will move to another vulnerability. Consequently the ability of the intruder breaking into the computer and theft of important information is less likely to occur.
The other advantage of strong passwords is that the rules, which are enforced, use a .dll file, which inhibits the alteration of these rules. Although the rules of the Win2K notification package cannot be configured the option of writing your own notification package with your own rules in available by using the appropriate source code. Check the Microsoft MSDN website if it is required that there is an alteration of the rules .dll file.
The possibility of the user forgetting the strong password must also be taken into account when setting up of the password. This will often occur because of the password length and the use of the many different characters with which the password was comprised. Strong passwords are of a complicated nature, which brings about a problem when a new one needs to be created to replace a forgotten one. But there complexity on the other hand is what enables strong passwords to increase security.
If passwords are forgotten the old passwords can be reused without risking a fall in security. The option of using an old password after a set amount of changed passwords can be enabled. This can be allowed because of the complexity o f the strong password; they are very challenging to crack.
Another aspect worth noting is that strong password rule only comes into play when they are created over a network. The password can therefore be applied on a user -by -user basis, only where security is of necessary importance.
Password generation systems.
- Use a word like oblivion then use synonyms.
- Make the password alpha numeric oblivion=0371v10n
- Add numbers to the password oblivion=oblivion2003
- Divide password by numbers oblivion=o1b1l1i1v1i1o1n
- Reverse password oblivion=noivilbo
- Subtract letters and then suffix subtracted letters ie. Every second letter. Oblivion=olvobiin
There are many more generation methods. The better one that is mostly enforced is the alphanumeric system. This system works well and is used because it make the most sense and users are used to it from the telephone dialing system IE phone 0800 SECURITY.
Passwords are part of the main shield when providing a secure environment for the information we protect, which is stored within the computer. But the security, which is provided by them, is purely based on the knowledge of the users working with them and therefore the user should be aware of any changes in the password policies and easy to follow instructions on creating and changing these passwords should be made available to the user. Guard passwords like you guard keys to an important secure place and ensure that users do the same. Organizations do not stress this enough and this fact is known by intruders and is always used to their advantage.