Preventing Password Cracking
Knowing how authentication protocols work and having some sense of the tools and techniques intruders use to carry out password attacks is helpful. Now, how can you keep your network safe? Follow my 10 recommendations, and your computers will be highly resistant to password attacks. Recommendations are in descending order of importance.
1. Disable LM password hashes. Most password cracking software requires LM password hashes to work. You can use one of three methods to disable the storage of LM password hashes.
- Use passwords that are at least 15 characters long. When a password is longer than 14 characters, the system can't generate an LM password hash.
- Disable LM password hash storage system-wide by using Group Policy or Local Security Policy. Navigate to Computer Configuration\WindowsSettings\SecuritySettings\LocalPolicies. Select Security Options, then double-click Network Security: Do not store LAN Manager hash value on next password change. Click Enabled, then click OK. Alternatively, you can edit the registry. Open a registry editor (e.g., Regedt32.exe) and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. From the Edit menu, select Add Key and type NoLMHash. Press Enter, quit the registry editor, and restart the computer. To activate the setting, change the password.
- Use a special Unicode character in the password. Certain Unicode characters prevent the system from generating an LM password hash. For a list of Unicode characters that have this effect, see Table 1 in Chapter 3 of the "Microsoft Windows 2000 Security Hardening Guide" (http://www.microsoft.com/technet/security/prodtech/windows2000/win2khg/03osinstl.mspx).
2. Require long, complex passwords. Require passwords of 15 or more characters with at least some basic complexity. By default, computers running Windows XP and later OSs have password complexity turned on (although it's debatable whether Microsoft's definitions of complexity are sufficiently rigorous). A password with 15 or more characters disables the creation of an LM password hash, thereby defeating most password cracking tools, including most rainbow tables. If your password is also complex, it will defeat rainbow tables, which can't handle complex NT password hashes in a reasonable period of time. (This situation could change with future improvements in password cracking techniques, however.)
3. Disable LAN Manager and NTLM authentication. Most password sniffers can be successful only if LAN Manager or NTLM authentication is used. After a thorough test to make sure it doesn't break your production environment, prevent the use of LAN Manager and NTLM authentication protocols. Do this by using a registry editor or Group Policy Object (GPO). Navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: LAN Manager Authentication level, and enable Send NTLMv2 response only/refuse LM & NTLM.
4. Enable account lockouts. Enabling account lockouts will defeat, or at least significantly slow, most password-guessing attacks, whether manual or automated. I recommend enabling account lockouts using the following security settings:
- Set the account lockout threshold to allow no more than five bad password attempts.
- Set Reset account lockout counter after to 1 minute (the smallest possible value).
- Set Account lockout duration to 1 minute.
Some people worry about a computer worm causing a Denial of Service (DoS) attack, but if a computer worm is guessing at passwords using all my users' logon names, I want to lock out even valid users until the computer worm is stopped. After the worm is gone, all user accounts will enable in 60 seconds.
5. Force moderately frequent password changes. From Group Policy or Local Security Policy, navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Password Policy and set the Maximum password age setting to no more than 90 days. Given enough time, any password guesser, cracker, or rainbow table can defeat any password. But if a password is at least 15 characters long and complex, it will take most attackers more than 90 days to crack it. Any reasonable interval can be argued; just don't make your users switch passwords too frequently, because then they'll start writing down their passwords.
6. Protect boot order. Protect from physical attacks by using BIOS settings to prevent booting from anything but the primary hard disk, then password protect the BIOS. This recommendation will prevent (or at least delay) local, physical password attacks, including resetting passwords and extracting password hashes.
7. Rename highly privileged accounts. Consider renaming highly privileged accounts, such as the Administrator account, to something other than the default. Changing the names of highly privileged accounts to something other than their well-known default names will defeat many automated password-guessing programs.
8. Give additional protection to highly privileged accounts. Make sure the most highly privileged accounts in your enterprise have the longest and most complex passwords with the shortest maximum life.
9. Enable logon screen warning messages. Logon screen warning messages defeat many brute-force password-guessing programs such as TSGrinder because the automated programs don't expect a warning message to appear. You can enable logon screen warnings in Group Policy by navigating the console tree to Computer Configuration\Windows Settings\ Security Settings\Local Policies\Security Options, then double-clicking Interactive logon: Message text for users attempting to log on (and the related Interactive logon: Message title for users attempting to log on).
10. Audit passwords regularly. Finally, try to crack your organization's passwords yourself on a regular basis using some of the password cracking tools mentioned in "Types of Password Attacks." Do it before attackers do it. You can use the results as a compliance test and assist end users who don't follow recommended password policy to change their ways.
Don't Worry About the Experts
If you follow these 10 simple guidelines, the computers on your network will be highly resistant to password attacks—even those by so-called Windows security experts.