Window passwords: Making them secure Part 1: Introduction Like any network operating system, at the heart of the security is a username and password. There are default users created (Administrator and Guest are a few), which will all have a password associated with them. When any user attempts to authenticate or access any resource, the password for their user account is required. Now, thank goodness, a Windows Server 2003 (and later) domain requires a password by default. This password needs to be protected at all angles due to the potential of it being captured, guessed, hacked, or in some other way determined. There are many ways to protect a Windows password, this series of articles will discuss what you can do to increase security for your passwords. First, we must understand how a password is established and controlled, then how it can be attacked, so we can then take measures to protect against the common attacks. Windows Default Passwords When you are trying to logon to an Active Directory domain, you will need to input three key entries: username, password, domain name. When this information is received by the domain controller, it is analyzed against the current password for the username that is listed in the Active Directory database. If the password is a match, then the domain controller will authenticate the user, providing the user with an authentication token to gain access to other resources on the network/domain. When the user attempts to change the password for their account, this information is also sent to the domain controller. When the new password is entered by the user and sent to the domain controller, policies are in place to ensure the password meets minimum security requirements. A few notes about the password policy for the domain (as well as for all local user accounts by default): • There is a minimum of 7 characters required for a Windows password (Windows Server 2003 domains and later) • Passwords must contain 3 of the following 4 types of characters: upper case alpha, lower case alpha, numeric, special ($!@* .) • A new password must be generated before 42 days to keep the account active • A password can not be reused until 24 unique passwords have been created All of these settings are established under the Computer Configuration portion of a GPO, listed under Password Policy. Figure 1 illustrates what the settings are for these password policy configurations. Figure 1: Password Policy settings in a GPO are located under Computer Configuration, not User Configuration What Controls Domain Password Policy? As a long time Windows security educator, I have been working with Active Directory since 1999 and have taught thousands of IT professionals the finer points of Windows security, including the details around the Windows Password Policy. I find it very interesting that now, over 9 years after Microsoft first released Active Directory, that some IT professionals are still confused as to how the password policy is controlled and what options you have to modify them. So, here is the reality of Windows Password Policy and the capabilities. First, the Default Domain Policy GPO controls the Password Policy for all computers in the entire domain. Yes, this includes the domain controllers, servers, and desktops (which have joined the domain) for the entire Active Directory domain. The Default Domain Policy is linked to the domain node, which of course includes all computers in the domain as a target. Second, any GPO linked to the domain can be used to establish and control the password policy settings. The GPO just has to have the highest priority at the domain level, which will make it “win” in any conflicting settings regarding the password policy settings. Third, if a GPO is linked to an organizational unit (OU), it will NOT control the password for user accounts that are located in the OU. This is by far the most common mistake that IT professionals make. The password policy settings are NOT user based, they rather are computer based, as shown in Figure 1 above. Fourth, if a GPO is linked to an OU, the password policy settings created in the GPO will effect the local SAM on any computer that is located under the OU. This will “trump” the password policy settings configured in the GPO linked to the domain, but only for the local user accounts stored in the local SAMs of these computers. Fifth, if a GPO is linked to the Default Domain Controllers OU, it will NOT control the Active Directory database of users stored on the DCs. The only way to modify the password policy settings for domain user accounts is within a GPO linked to the domain (unless you are using Windows Server 2008 domains, which you can use fine-grained password policies, which are described in full detail here). Sixth, LanManager (LM) is fully supported on most existing Windows Active Directory enterprises. LM is a very old authentication protocol that is very weak with protecting the password and the password hash generated to support authentication with this protocol. There are two GPO settings (which are actually Registry settings) that control if LM will be supported and if the LM hash will be stored. We will be going into both of these settings in the next installment of this article series, making sure you know how to configure these settings correctly and exactly where to make the settings within a GPO. Summary The default password policy settings for an Active Directory domain are not horrible, but can be improved. The default settings are originally configured and stored in the Default Domain Policy GPO, which is linked to the domain node. For Windows 2000 and Server 2003 domains, there can only be one password policy for a Windows 2000/2003 domain! This means that all users (IT staff, developers, executives, HR, etc) have the same password policy restrictions. If those are weak for one set of users, then they are weak for all users. Modifications can be made to the local SAM on servers and desktops (not DCs) from GPOs that are linked to the OUs where these computer accounts reside in AD. These GPO settings will only control local user accounts, not domain user accounts. LM is a old, insecure, and poor choice for an authentication protocol, which should be investigated and disabled if possible. In the next installment we will not only talk about protecting against LM, but other ways that Windows passwords are attacked. Part 2: Introduction In the last article, I went into detail on how the default Windows password is established. As a reminder, the default Windows password is established using the Default Domain Policy GPO, which is linked to the domain. This is where the password “rules” are established for length, age, and complexity. In this article, I am going to talk a little about what technologies are available to break into a Windows password. The goal here is not to make hackers out of you, but rather educate you on what other hackers are doing in order to break into a Windows password. As you will see, different Windows operating systems have different attacks that can be used against them. Dramatic improvements have been made with Windows Server 2003 and XP and beyond for protecting against hackers wanting to get information about hacking passwords. Note: Many of the tools that I describe in this article come from hacker sites. I would suggest that you do not download any of these products and tools on a production network or desktop. Ensure that the network and production environment is protected from anything that might come from a site containing these tools. Also, many companies have written security practices that prohibit the use of the products and tools. Ensure that you work with your security staff before downloading, installing, or using any of the products. Social Engineering By far one of the most popular and successful ways that an attacker will access a user password is through a social engineering attack. Social engineering attacks might come in different methods and modes. Some might be with a barter for the password, where other attacks might just be “impersonation” of the HelpDesk, IT , or security professional within the company. If you feel that a social engineering attack is beyond your environment, I would highly suggest that you read this report on how the IRS was put under a social engineering attack scenario and the results were quite amazing! You can read the article here. As a past consultant and hired trainer for the IRS, I am fully aware of the security awareness and technical education that they are put under. These results are scary and unfortunately, not outside of the norm for most organizations. The only true way to defend against a social engineering attack is education. Users must be educated on how to protect their password, reset it often, keep it private, and not give it out after 10 seconds of a phone call with someone that is trying to attack the system. Guessing Another popular method of obtaining a user’s password is by guessing. Everyone reading this article has “guessed” a password on some system I the past 6 months. It is something that we do all the time. The key is to not allow passwords that are easily guessed on your network. If you want a list of easily guessed passwords, look at the list that ConFlicker used to break into the Administrator account on the last attack of this worm. The worm itself had a password cracker built into it, making it a very powerful and rogue worm. Again, education helps go a long way here. Give users a list of good passwords that they can start from. The passwords should not have the following characteristics: • Too complex • One that uses routine character exhanges (IE. Password becomes P@$$w0rd) • Easy dictionary words In addition to guessing passwords, it is a common scenario for a user to write down a password and place it somewhere that is easy to find and see. Of course, I am talking about the situation where users write their password on a sticky, and then put it on their monitor, under their keyboard, on their desk, etc. Also, I have seen where users will just write their password on their monitor or keyboard, in clear sight for anyone to see. This is a horrible practice and should be monitored and audited during a routine security audit of the company and computers. It should also be included in the written security agreement that users can not act in this way or disciplinary action will be taken against them. Hack Tool Attacks There are some common hack tools that exist, which all can take numerous approaches in attacking Windows passwords. What the password hacking tools are actually attacking is the password hash that is generated by the operating system. This hash is important to the different levels of Windows operating system, because the newer operating systems support better password hash algorithms. The weakest of these password hash algorithms is LanManager (LM). LM was designed for Windows for Workgroups and is extremely old and out of date. Next is NTLM, then NTLMv2, finally Kerberos. Kerberos is used between nearly all desktops and servers within an Active Directory environment, but LM is still supported and enabled! (We will discuss how to protect against the use of LM in the next article.) Dictionary attacks are when tools, like Cain and Able, use a hackers dictionary to try and obtain the password. Dictionaries are available from nearly anywhere on the Internet and custom dictionaries can be included in Cain and Able. Brute Force attacks are also very common. In a brute force attack the attack tool is configured to support a suite of characters that will be used to attack the password hash. Here, all variations of the characters will be used to generate a hash, which will then be compared to the hash related to the Windows password. Figure 1 illustrates the options that are available to perform a brute force attack. Figure 1: Brute Force attacks can use any number of character combinations Since a brute force attack must generate a hash for all combinations of the characters that you choose, it is not highly efficient. So hackers developed a way to store the different character combination hash results into a database. These are called Rainbow tables. Rainbow tables are nothing but a predetermined set of hash tables. Rainbow tables take about 1/10th the time to break a password then brute force attacks. There are tools such as the Rainbow Table Generator, shown in Figure 2, which can generate your own custom table. Tools like Cain and Able support Rainbow tables, which is illustrated in Figure 3. Figure 2: You can use a free tool like the Rainbow Table Generator to design your own tables. Figure 3: Rainbow tables are supported in nearly every new password hacking tool Summary There can be many attacks on a Windows password. Some are highly technical and others are merely manipulation of the actual user to give out their password. In most cases of social engineering and password guessing, education can go a long way. Users should be educated on how to properly create a password that is not easily guessed. They should also be instructed to never give out their password to anyone on the phone or to other colleagues. Tools such as Cain and Able (only one of many password attack tools) have many options to try and break into passwords. Dictionary attacks, brute force attacks, and Rainbow tables provide good arsenal against weak passwords and weak password hashes. . Window passwords: Making them secure Part 1: Introduction Like any network operating system, at the heart of the security is a username and password. . protect a Windows password, this series of articles will discuss what you can do to increase security for your passwords. First, we must understand how a password