Please read the following article written by KLC Consulting, compare these policies to the policies you have at work now, or have had in the past. Explain why password policies are good
and
how they can be manipulated. If a business has a strict account and management policy in place does that make it safe? Why/Why not? Find an article online that reported a network or data security breach, how did it impact the company?
KLC Consulting, Inc.
IS / IT Security Services
Here are some recommendations on your user account and password management. Keep in mind that your security policies depend strictly on your business requirements! Security and performance move inversely - the higher the security measures, the lower the performance and efficiency.
Rename the default administrator account “Administrator” to something harder to guess. This will prevent people from guessing your administrator account. Make sure you remember the new administrator account and password. You will need to login as local administrator to make any changes to the computer configuration, hardware and software installations.
After you have renamed the administrator account, you should no longer see an account named “Administrator”.
Next, create a decoy account. Create a new user called “Administrator”, and make sure it does NOT belong to any groups. In another words, when you click on the “Member of” tab in the user properties in the User Management window, you should not see any groups listed. If you do, remove them. This will make sure this decoy account named “Administrator” has no access to the server.
If you have the Audit for logon/logoff turned on, you will be able to detect any logon/logoff activities by the decoy “Administrator” user account. You can detect these activities by using Event Viewer to check Security Logs. This will give you some indication of hacking activities.
Make sure the passwords for Administrator and regular user accounts are changed every 30 – 90 days to increase server security.
Password policies on the Windows 2000 should be changed from the default settings.
Here are default password policy settings:
Enforce password history
1 passwords remembered
Maximum password age
42 days
Minimum password age
0 days
Minimum password length
0 characters
Passwords must meet complexity requirements
Disabled
Store password using reversible encryption for all users in the domain
Disabled
Here is the default Account Lockout policy settings:
Account lockout duration
Not defined
Account lockout threshold
0 invalid logon attempts
Reset account lockout counter after
Not defined
Here are some suggested settings for the password policy:
MS = Microsoft NSA = National Security Agency NIST = National Institute of Standards and Technology
Policy:
Ref. Values:
Rec. Value:
Reason:
Enforce password history
12 passwords remembered
Users can not re-use passwords from the past 3 years
Maximum password age
MS: 42
90 days
User Must chang.
Please read the following article written by KLC Consulting, compare.docx
1. Please read the following article written by KLC Consulting,
compare these policies to the policies you have at work now, or
have had in the past. Explain why password policies are good
and
how they can be manipulated. If a business has a strict account
and management policy in place does that make it safe?
Why/Why not? Find an article online that reported a network or
data security breach, how did it impact the company?
KLC Consulting, Inc.
IS / IT Security Services
Here are some recommendations on your user account and
password management. Keep in mind that your security policies
depend strictly on your business requirements! Security and
performance move inversely - the higher the security measures,
the lower the performance and efficiency.
Rename the default administrator account “Administrator” to
something harder to guess. This will prevent people from
guessing your administrator account. Make sure you remember
the new administrator account and password. You will need to
login as local administrator to make any changes to the
computer configuration, hardware and software installations.
After you have renamed the administrator account, you should
no longer see an account named “Administrator”.
Next, create a decoy account. Create a new user called
“Administrator”, and make sure it does NOT belong to any
groups. In another words, when you click on the “Member of”
tab in the user properties in the User Management window, you
should not see any groups listed. If you do, remove them. This
will make sure this decoy account named “Administrator” has
no access to the server.
If you have the Audit for logon/logoff turned on, you will be
able to detect any logon/logoff activities by the decoy
“Administrator” user account. You can detect these activities
by using Event Viewer to check Security Logs. This will give
you some indication of hacking activities.
2. Make sure the passwords for Administrator and regular user
accounts are changed every 30 – 90 days to increase server
security.
Password policies on the Windows 2000 should be changed
from the default settings.
Here are default password policy settings:
Enforce password history
1 passwords remembered
Maximum password age
42 days
Minimum password age
0 days
Minimum password length
0 characters
Passwords must meet complexity requirements
Disabled
Store password using reversible encryption for all users in the
domain
Disabled
Here is the default Account Lockout policy settings:
Account lockout duration
Not defined
Account lockout threshold
0 invalid logon attempts
Reset account lockout counter after
Not defined
Here are some suggested settings for the password policy:
MS = Microsoft NSA = National Security Agency NIST =
National Institute of Standards and Technology
Policy:
Ref. Values:
Rec. Value:
Reason:
Enforce password history
3. 12 passwords remembered
Users can not re-use passwords from the past 3 years
Maximum password age
MS: 42
90 days
User Must change passwords within 90 days. Usually between
30 – 90 days. Sys Admin can decide a reasonable value.
NSA: 42
SANS: 45-90
NIST: 90
Minimum password age
MS: 2
1 days
User can’t reset password within 1 days. This will prevent
intruders from constantly trying different passwords.
NSA: 2
SANS: 1 - 5
NIST: 1
Minimum password length
MS: 8
8 characters
Usually between 6 – 12 characters. 6-8 characters is a more
common length.
NSA: 12
SANS: 8
NIST: 8
Passwords must meet complexity requirements
Disabled (You decide)
If set with default passfilt.dll:
Passwords must be at least six characters long.
Passwords can't contain the user name. For example, if a user's
account is "bobm", he can't set his password as bobm, or
bobxxx.
Passwords must use at least three of the four available character
4. types: lowercase letters, uppercase letters, numbers, and
symbols (+,=,_,*,&,…).
Store password using reversible encryption for all users in the
domain
Disabled (You decide)
Usually not set. Learn more from the Microsoft link below.
Here are some suggested settings for the password policy:
Policy:
Ref. Value:
Rec. Value:
Reason:
Account lockout duration
MS: 0 (indefinite)
15 minutes
You must pre-determine the system administration costs to
justify this value. You can set to 30 minutes to automatically
remove the lockout for accounts, however, most legitimate users
will call you anyway when they get locked out. Note: value “0”
means to lockout indefinitely. 99999 minutes is the maximum
number allowed for this policy.
NSA: 15
SANS: 240
NIST: 15
Account lockout threshold
MS: 5
3 invalid logon attempts
Legitimate users should not have to try more than 3 times to get
the right passwords. If they do, the account will get locked
out. The system administrator can investigate this further to
find the reason for the lockout. If many legitimate users are
getting locked out, then either this value may be modified
accordingly, or someone may be trying to guess passwords to
get into the network. 3 attempts is a common value for this
5. policy.
NSA: 3
SANS: 5
NIST: 3
Reset account lockout counter after
MS: 30
15-30 minutes
The time required before resetting the counter for bad password
attempts. 15 - 30 minutes lockout time is usually sufficient.
After this time, the counter for bad password attempts resets to
0. For example, if this value is set to 15 minutes and a user
tried 2 bad passwords to logon to his account at 12:00PM,
Windows 2000 has a counter remembering that he has 2 bad
password attempts. At 12:16PM, this counter will be reset to 0.
NSA: 15
SANS: 240
NIST: 15
For more information on the settings, you can find details on
Microsoft website:
Creating User and Group Accounts
4.
Make sure users do NOT write down their passwords and post it
on the computer monitor, keyboard, or under the desk. You
may laugh, but if you check your users, you will be surprised at
the number of users who do this. If they do need to write down
their password for whatever reason, make sure the passwords
are stored in a secure location, i.e. locked drawer.
5.
Make sure users do NOT share passwords with other people.
6.
Make sure users do NOT reveal passwords to anyone other than
6. the system administrators and people delegated by the system
administrators.
7.
Enable logging for successful and failed logon/logoff events.
This shows you the activities on your system.
8.
If you are a system administrator for a business environment,
make sure you set the local administrator account for the
desktop users. Users should NOT know the passwords for the
local administrator account.
If you are a home user, make sure you have a strong password
for your “Administrator” accounts.
Make sure “Administrator” accounts have NO BLANK
PASSWORDS, and NO EASY TO GUESS PASSWORDS. Many
have discovered that several
Trojans
and
worms
tried to get into Windows 2000 systems with easy to guess
passwords, e.g. “Administrator” account with BLANK
password, “Administrator” account with “Administrator” as the
password, “admin” account with “admin”, “root” with “root”,
and so on… Be careful! Many people don't set strong
passwords, which is like leaving the door to your house open at
night when you are sleeping! Your password is your first line
of defense.
For sample passwords that were included in some Trojans'
password dictionaries, please refer to
http://www.klcconsulting.net/mirc_virus_analysis.htm
and
http://www.klcconsulting.net/deloder_worm.htm
.
This should be a good start for good password management and
7. user account policies. Microsoft does provide some good
security guidelines on Windows 2000, and you should definitely
go over in more detail the recommendations of Microsoft.
Again, you can find more Account and Group account
management from Microsoft at
http://www.microsoft.com/technet/treeview/default.asp?url=/tec
hnet/prodtechnol/windows2000serv/deploy/confeat/08w2kada.as
p
Reference:
·
Microsoft Security Best Practices on Windows 2000 servers -
http://www.microsoft.com/technet/security/prodtech/windows/se
cwin2k/default.asp
·
Microsoft
Solution
Guide for Securing Windows 2000 Server - download
·
NSA Security Template -
http://www.nsa.gov/snac/win2k/index.html
·
NIST Security Template -