Security Basics mailing list archives

Re: ADS Password Storage Protection

From: Eoin Miller <eoin.miller () trojanedbinaries com>
Date: Mon, 17 Jul 2006 13:39:49 -0400

rolando_ruiz () jetaviation com wrote:

I'm looking for best practice ways of protecting access to password
storage in Active Directory. I have some immediate questions:

Where exactly are passwords kept?
Are these passwords kept in plain text?
How can I protect these passwords from being hacked? (Encryption,
restrictions, etc...)
Thank you in advanced
________________________________

Jet Aviation Holdings, Inc.
Rolando Ruiz


---------------------------------------------------------------------------
This list is sponsored by: SensePost
Hacking, like any art, will take years of dedicated study andpractice to master. We can't teach you to hack. But we can teach youwhat we've learned so far. Our courses are honest, real, technicaland practical. SensePost willl be at Black Hat Vegas in July. To seewhat we're about, visit us at:
http://www.sensepost.com/training.html
---------------------------------------------------------------------------

You will want to ensure that passwords are not stored using reversibleencryption (by default they are not). This is generally only required ifyou are configuring a RADIUS server that will use CHAP forauthentication. More information on reversible encryption settings forWindows password policies can be found here:


http://technet2.microsoft.com/WindowsServer/en/Library/eeff044c-d4a8-4699-a4b8-c5e563118c931033.mspx?mfr=true

I would also review the Windows Server 2003 Security guide startingaround page 33. That is where they begin discussing password policy. Itis available here:


http://www.nsa.gov/snac/os/win2003/MSCG-001R-2003.pdf

--Eoin

---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study andpractice to master. We can't teach you to hack. But we can teach youwhat we've learned so far. Our courses are honest, real, technicaland practical. SensePost willl be at Black Hat Vegas in July. To seewhat we're about, visit us at:

http://www.sensepost.com/training.html
---------------------------------------------------------------------------

Current thread:

ADS Password Storage Protection rolando_ruiz (Jul 14)
- RE: ADS Password Storage Protection Roger A. Grimes (Jul 14)
  - RE: ADS Password Storage Protection rolando_ruiz (Jul 27)
    - RE: ADS Password Storage Protection Roger A. Grimes (Jul 31)
- Re: ADS Password Storage Protection Neil (Jul 17)
- Re: ADS Password Storage Protection Eoin Miller (Jul 17)
- <Possible follow-ups>
- Re: RE: ADS Password Storage Protection winshel (Jul 17)
  - Re: ADS Password Storage Protection ab (Jul 17)
  - RE: ADS Password Storage Protection Depp, Dennis M. (Jul 18)
    - Message not available
    - RE: ADS Password Storage Protection Harold Winshel (Jul 18)
    - RE: ADS Password Storage Protection Depp, Dennis M. (Jul 18)
    - Re: ADS Password Storage Protection Stephen John Smoogen (Jul 21)
    - RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)
    - RE: ADS Password Storage Protection Roger A. Grimes (Jul 19)
    - Message not available
    - RE: ADS Password Storage Protection Harold Winshel (Jul 21)
    - RE: ADS Password Storage Protection Roger A. Grimes (Jul 21)

(Thread continues...)