Hmmmm….. there’s two patches that won’t push down from MBSA/Shavlik so I’m doing them manually.  The first is the .NET 1.1 sp1 and the second is the 03-31 for the SBSMonitoring SQL/MSDE instance.  One tweak I’m putting in place is the “Dr. J Password security tweak“.  What?  Don’t know what I’m talking about? 


If you have a full Windows 2000/XP network OR have made your 9x clients use the active directory add on, you can turn off something called Lan Manager Hash.  What’s that?  It’s a legacy leftover from IBM that we really don’t need to keep turned on if we have up to date networks.


In this KB it talks about how to ensure that this hash is not saved.  Why is this important?  Because if you’ve ever played with LC4 or LC5 or John the Ripper, you know how fast and quickly passwords can be retrieved if these hashes are saved. It’s mere seconds that someone can retrive your passwords if they are saved in this manner.  I’ve seen LC5 nail a 9 character dictionary word in mere minutes.



  • In Group Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options
  • In the list of available policies, double-click Network security: Do not store LAN Manager hash value on next password change
  • Click Enabled, and then click OK

So why are passwords important?  Let’s think of all the ways and places that we rely on password for the first line of defense of security.



  • Banks and online banking.
  • ATMs and Debit cards and PIN numbers
  • Websites and online shopping

Don’t you hope that all those places where YOU store passwords would enable that setting too?  [Granted you are probably not putting your password into a AD environment when you log in…but you get the point.] What other places do you put passwords in a computer system and probably don’t know what procedures they have for protecting them?  I’ve seen places like Tmobile and ATT wireless airport signups demand that the password that I chose matched a secure policy.  I don’t even want to admit how lame my Amazon.com password is.  Hmmmm… reminds me…. I should go change that sucker.  Excuse me while I go do that after I just admitted how lame it was  🙂

 

8 Responses to The last two patches and a Security tweak

  1. Anthony says:

    Mark Minasi has a great explaination on his recent newsletter. Really a must read. He explains how Windows stores your password/hash and how to increase the security buy adding long passwords/phrases. The link is below with a very short snippet.

    http://www.minasi.com/thismonth.htm

    <snip>

    Fourth, by default Microsoft operating systems retain something called "LAN Manager hashes," a bit of backward compatibility that unfortunately is a hacker’s dream — cracking passwords with LM hashes is child’s play. Ask any security techie to create a "things to do" list on how to harden a Windows system, and I can guarantee that "get rid of the LM hashes" will be somewhere near the top of that list.

    But how to do that? Well, LAN Manager only supported a maximum password length of 14 characters. When modern versions of Windows come across an account with a password longer than 14 characters, then they assume that the account’s owner doesn’t give a hoot about backwards compatibility with LAN Manager servers, and so Windows doesn’t bother creating an LM hash. In my experience, that’s the easiest way to eliminate LM hashes — just create a password whose length exceeds 14 characters.

    With that in mind, here’s what I recommend: do not require complex passwords, but require a 15-character minimum length for passwords. And yes, I know that sounds unusual, so let’s look at it in some detail.

    Enjoy.

    Anthony

  2. Susan says:

    Something to remember though is that Minasi’s advice is not supported by Product Support Services.

  3. Anthony says:

    Is that because you are usint the adsiedit tool?

  4. Susan says:

    Can’t remember his entire comment at the Security summit, but he said it wasn’t a PSS approved tweak.

    If Mothership Charlotte, Los Colinas, Shanghai and Redmond don’t "bless" a setting, I’m hesitent to do otherwise without a real good reason.

  5. Anthony says:

    Do you not use the tools in the resource kits either? Or do you always verify them with PSS first?

  6. Susan says:

    Anthony… When someone like Dr. J says that specific recommendation that Minasi posted is not supported… I listen.

  7. Susan says:

    Besides.. I have a fully supported tool that enforces long passwords.

    Me and a written policy.

    Works every time 🙂

  8. Anthony says:

    I agree people and policy are much more effective. The business decision of doing one or the other is a totally different aspect. I was just curious to the technical reason Mark’s example wasn’t supported.

    I guess I need to research Dr. J.