RE: ADS Password Storage Protection

["Roger A. Grimes" <roger () banneretcs com>]

Let me comment on this post by saying that password length beats
complexity character for character. 

So go long and forget complexity.  Complexity pisses end users off.  

At 15 characters (complex or not), password is uncrackable.  Tell normal
users to go 12 character min. (actually 9 and above is pretty good).
Admins should go 15+.

I frequently demo this idea using Cain (www.oxid.it) and its brute force
cracking mode.

If I can get your LM hashes, I can crack your password no matter how
complex. If you go 15 char.+, I'll never crack it,  no matter how big
the rainbow tables or how many computers I have.

Linux folks should use bcrypt password hashes to accomplish the same.

Roger

*****************************************************************
*Roger A. Grimes, InfoWorld, Security Columnist 
*CPA, CISSP, MCSE: Security (2000/2003/MVP), CEH, yada...yada...
*email: roger_grimes () infoworld com or roger () banneretcs com
*Author of Professional Windows Desktop and Server Hardening (Wrox)
*http://www.amazon.com/gp/product/0764599909
*****************************************************************



-----Original Message-----
From: eric.baechle () dhs gov [mailto:eric.baechle () dhs gov] 
Sent: Monday, July 17, 2006 1:49 AM
To: security-basics () securityfocus com
Subject: RE: ADS Password Storage Protection

Rolando,

The first couple of Mr. Grimes' suggestions are spot-on, but password
cracking is often not the problem.  To understand the threat-vectors for
your ADS passwords you have to understand how they're stored and shared,
which I believe was your original question.

In Active Directory the passwords are actually stored encrypted in
active directory files.  As mentioned by Mr. Grimes, this is the
NTDS.DIT file on your Windows ADS Domain Controllers.  The passwords are
hashed (a one-way mathematical encryption-style function) using a
combination of the username and password for the user.  Again as Mr.
Grimes pointed out, by default Windows stores these using a now-outdated
storage format called Lan Mananger.  My methodology differs a bit from
Mr. Grimes here.  In my opinion, the quickest increase to your security
is two-fold:
1)  Force the use of NTLMv2 (New Technology Lan Manager version 2) as
Mr. Grimes suggested.
2)  Force complexity requirements of 8 characters with at least 1
number, one capital letter, and one special character (You will only
give users heartburn by making it more than 8 characters and not
effectively increase your security).

Once you do this, reset everyone's password so they must change it at
their next login (otherwise the LM hash stays).

You don't really need to worry about cracking of passwords, you just
want to make them hard to guess.  In order to crack a password, an
attacker needs to export your passwords from NTDS.DIT.  Access to do
this requires administrator-level authority on your Windows domain
controllers.  If your attacker has admin rights on your domain
controllers you're already compromised.  

Second, when a system authenticates it does not send the user's name and
password over the wire.  It computes the hash and then sends the hash
over the wire.  The server then compares the hash sent from the client
to the one stored in ADS.  If it matches the system _assumes_ the
correct username and password was entered at the client.  SMB (windows
authentication) clients that inject hash credentials already exist in
the wild.  If someone has your password hashes, they don't need to crack
a thing (Google for "pass the hash").

Some additional suggestions on securing your password databases:

1) Turn security logging on!  Monitor mass authentication failures!
2) Set the lockout threashold to something higher than 3, like 25... A
human typically remembers 8 things at one time, and will get frustrated
and contact a helpdesk between 8 and 15 tries.  If a lockout ever occurs
from 25 attempts, you KNOW an automated brute-force is attacking your
system and not just some poor guy that can't remember which of the 4 or
5 passwords he knows is for that system.
3) Obtain an intrusion detection system and monitor access to NTDS.DIT!
If you need to, run a password dump against your system to obtain a
definition for the attack (but be sure to delete the hash files that
result when you're done).
4) Force your passwords to change often (90 days?) in case you miss
someone exfiltrating your password database or someone uses the same
password that they do for their web accounts.


I welcome a discussion on this topic.  I think that authentication
security is one of the most misunderstood topics in computer security
today.

Sincerely,

Eric Baechle, CISSP/ISSEP, etc...
Senior INFOSEC/OPSEC Engineer
Department of Homeland Security

------------------------------------------------------------------------
---
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and practice
to master. We can't teach you to hack. But we can teach you what we've
learned so far. Our courses are honest, real, technical and practical.
SensePost willl be at Black Hat Vegas in July. To see what we're about,
visit us at: 

http://www.sensepost.com/training.html
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
This list is sponsored by: SensePost

Hacking, like any art, will take years of dedicated study and
practice to master. We can't teach you to hack. But we can teach you
what we've learned so far. Our courses are honest, real, technical
and practical. SensePost willl be at Black Hat Vegas in July. To see
what we're about, visit us at:

http://www.sensepost.com/training.html
---------------------------------------------------------------------------