Windows Default Passwords When you are trying to logon to an Active Directory domain, you will need to input three key entries: username, password, domain name.. When this information i
Trang 1Window passwords: Making them secure
Part 1:
Introduction
Like any network operating system, at the heart of the security is a username and password There are default users created (Administrator and Guest are a few), which will all have a password associated with them When any user attempts to authenticate or access any resource, the password for their user account is required Now, thank goodness,
a Windows Server 2003 (and later) domain requires a password by default This password needs to be protected at all angles due to the potential of it being captured, guessed, hacked, or in some other way determined There are many ways to protect a Windows password, this series of articles will discuss what you can do to increase security for your passwords First, we must understand how a password is established and controlled, then how it can be attacked, so
we can then take measures to protect against the common attacks
Windows Default Passwords
When you are trying to logon to an Active Directory domain, you will need to input three key entries: username, password, domain name
When this information is received by the domain controller, it is analyzed against the current password for the
username that is listed in the Active Directory database If the password is a match, then the domain controller will authenticate the user, providing the user with an authentication token to gain access to other resources on the
network/domain
When the user attempts to change the password for their account, this information is also sent to the domain controller When the new password is entered by the user and sent to the domain controller, policies are in place to ensure the password meets minimum security requirements A few notes about the password policy for the domain (as well as for all local user accounts by default):
• There is a minimum of 7 characters required for a Windows password (Windows Server 2003 domains and later)
• Passwords must contain 3 of the following 4 types of characters: upper case alpha, lower case alpha, numeric, special ($!@* )
• A new password must be generated before 42 days to keep the account active
• A password can not be reused until 24 unique passwords have been created
All of these settings are established under the Computer Configuration portion of a GPO, listed under Password Policy Figure 1 illustrates what the settings are for these password policy configurations
Figure 1: Password Policy settings in a GPO are located under Computer Configuration, not User Configuration
Trang 2What Controls Domain Password Policy?
As a long time Windows security educator, I have been working with Active Directory since 1999 and have taught thousands of IT professionals the finer points of Windows security, including the details around the Windows
Password Policy I find it very interesting that now, over 9 years after Microsoft first released Active Directory, that some IT professionals are still confused as to how the password policy is controlled and what options you have to modify them So, here is the reality of Windows Password Policy and the capabilities
First, the Default Domain Policy GPO controls the Password Policy for all computers in the entire domain Yes, this includes the domain controllers, servers, and desktops (which have joined the domain) for the entire Active Directory domain The Default Domain Policy is linked to the domain node, which of course includes all computers in the domain as a target
Second, any GPO linked to the domain can be used to establish and control the password policy settings The GPO just has to have the highest priority at the domain level, which will make it “win” in any conflicting settings regarding the password policy settings
Third, if a GPO is linked to an organizational unit (OU), it will NOT control the password for user accounts that are located in the OU This is by far the most common mistake that IT professionals make The password policy settings are NOT user based, they rather are computer based, as shown in Figure 1 above
Fourth, if a GPO is linked to an OU, the password policy settings created in the GPO will effect the local SAM on any computer that is located under the OU This will “trump” the password policy settings configured in the GPO linked
to the domain, but only for the local user accounts stored in the local SAMs of these computers
Fifth, if a GPO is linked to the Default Domain Controllers OU, it will NOT control the Active Directory database of users stored on the DCs The only way to modify the password policy settings for domain user accounts is within a GPO linked to the domain (unless you are using Windows Server 2008 domains, which you can use fine-grained password policies, which are described in full detail here)
Sixth, LanManager (LM) is fully supported on most existing Windows Active Directory enterprises LM is a very old authentication protocol that is very weak with protecting the password and the password hash generated to support authentication with this protocol There are two GPO settings (which are actually Registry settings) that control if LM will be supported and if the LM hash will be stored We will be going into both of these settings in the next
installment of this article series, making sure you know how to configure these settings correctly and exactly where to make the settings within a GPO
Summary
The default password policy settings for an Active Directory domain are not horrible, but can be improved The default settings are originally configured and stored in the Default Domain Policy GPO, which is linked to the domain node For Windows 2000 and Server 2003 domains, there can only be one password policy for a Windows 2000/2003 domain! This means that all users (IT staff, developers, executives, HR, etc) have the same password policy
restrictions If those are weak for one set of users, then they are weak for all users Modifications can be made to the local SAM on servers and desktops (not DCs) from GPOs that are linked to the OUs where these computer accounts reside in AD These GPO settings will only control local user accounts, not domain user accounts LM is a old, insecure, and poor choice for an authentication protocol, which should be investigated and disabled if possible In the next installment we will not only talk about protecting against LM, but other ways that Windows passwords are attacked
Part 2:
Introduction
In the last article, I went into detail on how the default Windows password is established As a reminder, the default Windows password is established using the Default Domain Policy GPO, which is linked to the domain This is where the password “rules” are established for length, age, and complexity In this article, I am going to talk a little about what technologies are available to break into a Windows password The goal here is not to make hackers out of you,
Trang 3but rather educate you on what other hackers are doing in order to break into a Windows password As you will see, different Windows operating systems have different attacks that can be used against them Dramatic improvements have been made with Windows Server 2003 and XP and beyond for protecting against hackers wanting to get
information about hacking passwords
Note:
Many of the tools that I describe in this article come from hacker sites I would suggest that you do not download any
of these products and tools on a production network or desktop Ensure that the network and production environment
is protected from anything that might come from a site containing these tools Also, many companies have written security practices that prohibit the use of the products and tools Ensure that you work with your security staff before downloading, installing, or using any of the products
Social Engineering
By far one of the most popular and successful ways that an attacker will access a user password is through a social engineering attack Social engineering attacks might come in different methods and modes Some might be with a barter for the password, where other attacks might just be “impersonation” of the HelpDesk, IT , or security
professional within the company
If you feel that a social engineering attack is beyond your environment, I would highly suggest that you read this report on how the IRS was put under a social engineering attack scenario and the results were quite amazing! You can read the article here As a past consultant and hired trainer for the IRS, I am fully aware of the security awareness and technical education that they are put under These results are scary and unfortunately, not outside of the norm for most organizations
The only true way to defend against a social engineering attack is education Users must be educated on how to protect their password, reset it often, keep it private, and not give it out after 10 seconds of a phone call with someone that is trying to attack the system
Guessing
Another popular method of obtaining a user’s password is by guessing Everyone reading this article has “guessed” a password on some system I the past 6 months It is something that we do all the time The key is to not allow
passwords that are easily guessed on your network If you want a list of easily guessed passwords, look at the list that ConFlicker used to break into the Administrator account on the last attack of this worm The worm itself had a password cracker built into it, making it a very powerful and rogue worm
Again, education helps go a long way here Give users a list of good passwords that they can start from The
passwords should not have the following characteristics:
• Too complex
• One that uses routine character exhanges (IE Password becomes P@$$w0rd)
• Easy dictionary words
In addition to guessing passwords, it is a common scenario for a user to write down a password and place it
somewhere that is easy to find and see Of course, I am talking about the situation where users write their password on
a sticky, and then put it on their monitor, under their keyboard, on their desk, etc Also, I have seen where users will just write their password on their monitor or keyboard, in clear sight for anyone to see This is a horrible practice and should be monitored and audited during a routine security audit of the company and computers It should also be included in the written security agreement that users can not act in this way or disciplinary action will be taken against them
Hack Tool Attacks
There are some common hack tools that exist, which all can take numerous approaches in attacking Windows
passwords What the password hacking tools are actually attacking is the password hash that is generated by the operating system This hash is important to the different levels of Windows operating system, because the newer operating systems support better password hash algorithms The weakest of these password hash algorithms is LanManager (LM) LM was designed for Windows for Workgroups and is extremely old and out of date Next is NTLM, then NTLMv2, finally Kerberos Kerberos is used between nearly all desktops and servers within an Active
Trang 4Directory environment, but LM is still supported and enabled! (We will discuss how to protect against the use of LM
in the next article.)
Dictionary attacks are when tools, like Cain and Able, use a hackers dictionary to try and obtain the password Dictionaries are available from nearly anywhere on the Internet and custom dictionaries can be included in Cain and Able
Brute Force attacks are also very common In a brute force attack the attack tool is configured to support a suite of characters that will be used to attack the password hash Here, all variations of the characters will be used to generate
a hash, which will then be compared to the hash related to the Windows password Figure 1 illustrates the options that are available to perform a brute force attack
Figure 1: Brute Force attacks can use any number of character combinations
Since a brute force attack must generate a hash for all combinations of the characters that you choose, it is not highly efficient So hackers developed a way to store the different character combination hash results into a database These are called Rainbow tables Rainbow tables are nothing but a predetermined set of hash tables Rainbow tables take about 1/10th the time to break a password then brute force attacks There are tools such as the Rainbow Table Generator, shown in Figure 2, which can generate your own custom table Tools like Cain and Able support Rainbow tables, which is illustrated in Figure 3
Trang 5Figure 2: You can use a free tool like the Rainbow Table Generator to design your own tables
Figure 3: Rainbow tables are supported in nearly every new password hacking tool
Summary
There can be many attacks on a Windows password Some are highly technical and others are merely manipulation of the actual user to give out their password In most cases of social engineering and password guessing, education can
go a long way Users should be educated on how to properly create a password that is not easily guessed They should also be instructed to never give out their password to anyone on the phone or to other colleagues Tools such as Cain and Able (only one of many password attack tools) have many options to try and break into passwords Dictionary attacks, brute force attacks, and Rainbow tables provide good arsenal against weak passwords and weak password hashes