RE: Password "security" - was"Passwords with Lan Manager (LM) und er Windows" and "Whitespace in passwords"

["Dufresne, Pierre" <PIERRE.DUFRESNE () MESS GOUV QC CA>]

Thanks for your detailed answer.

As I said, by using SYSKEY with a password-on-boot, 
I was hoping to protect the cache entries stored on the laptops.
Without the SYSKEY password, the machine won't boot, 
so an attacker could not dump the cache (CacheDump) or get access to the LSA
(LSADump2).
I also assume that booting with another OS would not give the attacker
access to the EFS files
because AES is pretty strong, the cache entries are encrypted with a secret
(NL$KM) which is stored in the 
LSA and the LSA is not accessible because the system key is 
password protected by a password which is not stored locally anymore.
I don't assume my reasoning is foolproof, I just want to make sure
deploying SYSKEY with a password-on-boot will render our laptops harder to
penetrate.

-----Original Message-----
From: Thor (Hammer of God) [mailto:thor () hammerofgod com] 
Sent: 30 septembre 2005 01:06
To: Dufresne, Pierre; pen-test () securityfocus com
Subject: Re: Password "security" - was"Passwords with Lan Manager (LM) under
Windows" and "Whitespace in passwords"

Let's break this down a bit-- 

I didn't pick up on the fact that you were concerned with laptop security--

when you discussed SYSKEY'ing the SAM, I assumed a member/stand-alone SAM. 
But you can certainly SYSKEY the SAM of an XP box as well...

Regarding laptop security, you're in the same boat as the rest of us.  It's 
tough business to secure resident data and keep the box patched while making

access easy enough for the user to get their jobs done without compromising 
security.  My gut feeling is that it is so difficult that the majority of 
corporate laptop deployments are seriously lacking in security, and that the

laptop represents one of the highest levels of threat and exposure to an 
organization.  So let's chew on this one...

First off, SYSKEY'ing the SAM of an XP lappy does not encrypt the cached 
pwd's in the LSA.  It just changes the encryption level of the SAM accounts 
db itself.  This is where the number of cached logons stored in the LSA 
comes in... If you are authenticating to the local account base on the box, 
you can set this to 0 without worry (because it does not come into play). 
However, if you are authenticating to a domain, (which I have to assume you 
are doing since cached logons are a concern) setting cached logons to 0 will

require a connection to a DC just to log on to the box-- something I don't 
see many people do on remote laptops using domain accounts.  That being 
said, most deployments of EFS that I have seen, particularly in laptops, are

based on domain accounts.  The main reason being the fact that 
authentication is off-box, thus reducing the risk of local accounts 
compromising EFS encrypted files.  You also can use the domain-based 
recovery certificate to access files should you have to take a user out back

and shoot them.  Hey, these things happen in the south.

So, I would opine that using SYSKEY to secure local accounts on a laptop 
using EFS is a bit bulky, and that the associated administrative overhead to

make it all work well is counter-productive... Of course, if any on the list

are doing this with appreciable levels of success, please let us know what 
we are missing (what I'm missing, anyway.)

Regarding passwords, just use pass phrases.  This whole thread really got 
skewed in regard to that, I think.  For one, a password with a whitespace in

it is obviously more secure than one without, simply because it increases 
the keyspace.  It doesn't matter what Cain and Able, or Adam and Eve for 
that matter, can do with it-- increased keyspace == increased overhead to 
crack. It's simple math.  You'll hear all manner of war stories of people 
cracking this, cracking that, using rainbow tables here, LM cracks there, 
and a bag of Skittles on the other side. But most of that can be obviated by

having simple, but long, pass phrases.  Since Win2k, you've had the choice 
of using 1298 character passwords/phrases. Even if you catch an NTLM auth on

the wire, a passphrase like "i have no farking idea what my password is." 
will take an eon to crack, even though it is all lower-case alpha with a 
period thrown in-- same with a SAM.  Besides, if someone has camped out on 
your box and grabbed the SAM, you've got Bigger Problems (tm) anyway.

In addition to easy pass phrases, I think a far more workable and viable 
solution for laptop data is the use of something like a PGP partition to 
store data.  It's easy for the user, easy for the admin, and adds real-world

security to remote data deployments...

t


----- Original Message ----- 
From: "Dufresne, Pierre" <PIERRE.DUFRESNE () MESS GOUV QC CA>
To: <pen-test () securityfocus com>
Sent: Thursday, September 29, 2005 6:19 AM
Subject: RE: Password "security" - was"Passwords with Lan Manager (LM) under

Windows" and "Whitespace in passwords"


> Thanks for the advice,
>
> I am focusing on stolen laptops.  With the password-on-boot SYSKEY feature

> I
> was hoping to protect the cache entries stored on those machines.
> The thing is, I was planning to make EFS available for the laptops (XP 
> sp1).
> The problem is, if the attacker can crack the passwords (after dumping the
> cache entries with CacheDump), he gets access to the EFS files.
> That's why this password security thread had me worry.
> Thanks
>
> P.

------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner: 

Hackers are concentrating their efforts on attacking applications on your 
website. Up to 75% of cyber attacks are launched on shopping carts, forms, 
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are 
futile against web application hacking. Check your website for vulnerabilities 
to SQL injection, Cross site scripting and other web attacks before hackers do! 
Download Trial at:

http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------