Security Basics mailing list archives
RE: Highlighting weak password dangers
From: "Scott Ramsdell" <Scott.Ramsdell () cellnet com>
Date: Thu, 25 Jan 2007 16:40:24 -0500
Passprop.exe will let you enable lockouts for the admin account on Windows. I ran it on my base image before pushing it up to my RIS servers. Kind Regards, Scott Ramsdell -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Simon W. Hall Sent: Wednesday, January 24, 2007 1:15 PM To: 'WALI'; security-basics () securityfocus com Subject: RE: Highlighting weak password dangers 1. The Administrators account does not have a lockout policy! You can just run passwords after passwords on it. http://technet2.microsoft.com/WindowsServer/en/library/4639940c-74b3-46c 8-b4 97-cdb7666f1e461033.mspx?mfr=true Rename the administrators account... (security by obscurity) That will help a bit for outside threats. 2. To my knowledge, there is no good way to do a password audit on a windoze box. Unless you are going down the rainbow tables path, breaking hashes. Set up a good password policy, that way you ensure passwords meet a minimum requirement. Make your users change passwords after the policy is in place. Simon -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of WALI Sent: Wednesday, January 24, 2007 6:16 PM To: security-basics () securityfocus com Subject: Highlighting weak password dangers I want to highlight the danger of using weak passwords on servers and users admin desktops. I have tested TSgrinder with a basic dictionary Brute Force to access Remote Desktop exploit on both servers and desktops. The problem here is that when connected to domain, the Account Lockout feature disables the account quite soon. I can only show the exploit on machines not connected to the domain where Domain Security policy doesn't flow down. What are other interesting and intriguing ways to present this problem? I also need a system to do Passwords Audit on my domain and make then 'secure password' policy compliance.
Current thread:
- ENC: Password Pride - A Humorous Vulnerability Marcus Valsecchi (Jan 19)
- RE: Password Pride - A Humorous Vulnerability Dixon, Wayne (Jan 22)
- Re: Password Pride - A Humorous Vulnerability Melissa (Jan 22)
- RE: Password Pride - A Humorous Vulnerability David Gillett (Jan 23)
- Re: Password Pride - A Humorous Vulnerability RS (Jan 22)
- RE: Password Pride - A Humorous Vulnerability Murda Mcloud (Jan 23)
- Message not available
- Highlighting weak password dangers WALI (Jan 24)
- RE: Highlighting weak password dangers Simon W. Hall (Jan 25)
- RE: Highlighting weak password dangers Scott Ramsdell (Jan 26)
- Re: Highlighting weak password dangers Manuel Arostegui Ramirez (Jan 26)
- Re: Highlighting weak password dangers Alexander Bolante (Jan 30)
- Re: Highlighting weak password dangers anesde (Jan 31)
- Re: Password Pride - A Humorous Vulnerability Melissa (Jan 22)
- RE: Password Pride - A Humorous Vulnerability Dixon, Wayne (Jan 22)
- Message not available
- Re: Port 8081 mystery WALI (Jan 24)
- Port 8081 mystery WALI (Jan 23)
- RE: Port 8081 mystery Gressick, Michael (Jan 24)
- Re: Port 8081 mystery Brian . D . Turk (Jan 24)
- RE: Port 8081 mystery Remad (Jan 24)
- Re: Port 8081 mystery George A. Theall (Jan 24)
- Re: Port 8081 mystery Johnny Wong (Jan 24)