Many security "experts" are running around these days mumbling about rainbow tables and telling us how they can crack any Windows password in 2 seconds. "Windows security sucks!" they say. Well, I'm here to tell you that if you take 10 steps to increase password security, would-be intruders can crack all day, but they won't get your Windows logon passwords.
Before you take any action, however, it's a good idea to become familiar with password authentication mechanics and to learn what types of password attacks are in use today. That way, you'll know not only how to protect yourself but also what you're protecting yourself from.
Although Windows uses many types of authentication credentials (e.g., the Credential Manager cache, trusts, Local Security Authority—LSA—secrets), the 10 tips I provide are specifically for Windows logon passwords. Nevertheless, the lessons learned here often apply to other forms of authentication (e.g., smart cards, biometrics) and other types of authentication credentials.
For users to be authenticated for logon, they must supply their unique network logon identity (i.e., logon name) and password. By supplying a password that only he or she supposedly knows, the user proves ownership of the identity and can request access to protected resources. When a user first sets a password, it's stored in a password credential database. In Windows, there are only two authentication databases: the SAM and Active Directory (AD). The SAM database is used for local logons and for logons to Windows NT domains. The AD database is used for logons to Windows 2000 and later domains.
When the user inputs his or her password, the Windows logon processes (e.g., winlogon.exe, msgina.dll) convert the plaintext password to its password hash equivalent. A good password hash outputs a unique, consistent value for a given password. No two passwords should result in the same output hash. A good password hash also makes converting from the hash back to the original plaintext non-trivial for someone who doesn't know the original password.
Some password hashes, but not Windows', add a random seed value, called a salt, to the hash to ensure that no two passwords produce the same hash. Salting strengthens any password hash and requires additional computations to crack the password, so it's unfortunate that Windows doesn't use a salt.
Windows Password Hashes
The SAM and AD store passwords in their hashed form under the assumption that if the database is compromised, the passwords won't be immediately compromised as well. Fully patched versions of Windows 98 and later OSs are capable of two types of password hashes: LAN Manager (LM) and NT. The LM password hash was invented by IBM and first used by Microsoft more than a decade ago. The LM hash turned out to be a very weak hash algorithm and is easy to compromise. Any skillful password hacker can convert an LM password hash to its plaintext original in seconds.
Microsoft subsequently created the NT hash for NT. Although not uncrackable, the NT hash is significantly more difficult to crack than the LM hash. If a password is sufficiently long and complex (more on that later), a hacker can require days or months to convert the NT hash to its plaintext original. Unfortunately, NT and later versions of Windows by default store both hash values for every password. The simple step of disabling the storage of LM hashes significantly increases your network's password security.
Win2K and later can use four authentication protocols: LAN Manager, NTLM, NTLMv2, and Kerberos. LAN Manager was the original protocol, and if LAN Manager authentication traffic is sniffed off the network, compromising the password is trivial. Microsoft released the NTLM protocol with NT, but that protocol was later found to contain flaws. Microsoft then developed NTLMv2 for Win2K. That version has withstood the test of time and has been ported back to NT and Windows 9x. Password crackers can't easily break NTLMv2 traffic.Win2K and later domain logons use the Kerberos protocol, which uses the NT hash and is fairly secure.
LAN Manager, NTLM, and NTLMv2 use challenge-response authentication. When users or computers submit credentials for verification, they don't send the password or its hash to the authentication service (i.e., SAM or AD). Instead, the server generates a random value, called the challenge, and sends it to the client. The client mathematically manipulates the challenge, using the password hash as a constant, and returns the result, called the response. The server does the same calculation on the challenge and, when that calculation matches the client's response, authenticates the client.
Kerberos uses an entirely different form of authentication based on preauthentication packet exchange. In that process, the Windows logon process converts the user's password to a secret key that's used to encrypt a timestamp, which is then sent to the server. Kerberos uses the timestamp to prevent replay attacks.
The authentication protocol determines the mathematical routine that the client and server use during the challenge-response process. Win2K and later computers must use Kerberos and at least one other authentication protocol. As with password hashes, all authentication protocols are turned on by default. When a client connects to a server, the server and client can negotiate which authentication protocol they'll use. An attacker can force Windows to use the weak LAN Manager or NTLM protocol unless it's disabled. (To learn what tools and techniques password attackers use, see the Web-exclusive sidebar, "Types of Password Attacks," http:// www.windowsitpro.com, InstantDoc ID 49232.)
Preventing Password Cracking
Knowing how authentication protocols work and having some sense of the tools and techniques intruders use to carry out password attacks is helpful. Now, how can you keep your network safe? Follow my 10 recommendations, and your computers will be highly resistant to password attacks. Recommendations are in descending order of importance.
1. Disable LM password hashes. Most password cracking software requires LM password hashes to work. You can use one of three methods to disable the storage of LM password hashes.
- Use passwords that are at least 15 characters long. When a password is longer than 14 characters, the system can't generate an LM password hash.
- Disable LM password hash storage system-wide by using Group Policy or Local Security Policy. Navigate to Computer Configuration\WindowsSettings\SecuritySettings\LocalPolicies. Select Security Options, then double-click Network Security: Do not store LAN Manager hash value on next password change. Click Enabled, then click OK. Alternatively, you can edit the registry. Open a registry editor (e.g., Regedt32.exe) and navigate to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. From the Edit menu, select Add Key and type NoLMHash. Press Enter, quit the registry editor, and restart the computer. To activate the setting, change the password.
- Use a special Unicode character in the password. Certain Unicode characters prevent the system from generating an LM password hash. For a list of Unicode characters that have this effect, see Table 1 in Chapter 3 of the "Microsoft Windows 2000 Security Hardening Guide" (http://www.microsoft.com/technet/security/prodtech/windows2000/win2khg/03osinstl.mspx).
2. Require long, complex passwords. Require passwords of 15 or more characters with at least some basic complexity. By default, computers running Windows XP and later OSs have password complexity turned on (although it's debatable whether Microsoft's definitions of complexity are sufficiently rigorous). A password with 15 or more characters disables the creation of an LM password hash, thereby defeating most password cracking tools, including most rainbow tables. If your password is also complex, it will defeat rainbow tables, which can't handle complex NT password hashes in a reasonable period of time. (This situation could change with future improvements in password cracking techniques, however.)
3. Disable LAN Manager and NTLM authentication. Most password sniffers can be successful only if LAN Manager or NTLM authentication is used. After a thorough test to make sure it doesn't break your production environment, prevent the use of LAN Manager and NTLM authentication protocols. Do this by using a registry editor or Group Policy Object (GPO). Navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network Security: LAN Manager Authentication level, and enable Send NTLMv2 response only/refuse LM & NTLM.
4. Enable account lockouts. Enabling account lockouts will defeat, or at least significantly slow, most password-guessing attacks, whether manual or automated. I recommend enabling account lockouts using the following security settings:
- Set the account lockout threshold to allow no more than five bad password attempts.
- Set Reset account lockout counter after to 1 minute (the smallest possible value).
- Set Account lockout duration to 1 minute.
Some people worry about a computer worm causing a Denial of Service (DoS) attack, but if a computer worm is guessing at passwords using all my users' logon names, I want to lock out even valid users until the computer worm is stopped. After the worm is gone, all user accounts will enable in 60 seconds.
5. Force moderately frequent password changes. From Group Policy or Local Security Policy, navigate to Computer Configuration\Windows Settings\Security Settings\Local Policies\Password Policy and set the Maximum password age setting to no more than 90 days. Given enough time, any password guesser, cracker, or rainbow table can defeat any password. But if a password is at least 15 characters long and complex, it will take most attackers more than 90 days to crack it. Any reasonable interval can be argued; just don't make your users switch passwords too frequently, because then they'll start writing down their passwords.
6. Protect boot order. Protect from physical attacks by using BIOS settings to prevent booting from anything but the primary hard disk, then password protect the BIOS. This recommendation will prevent (or at least delay) local, physical password attacks, including resetting passwords and extracting password hashes.
7. Rename highly privileged accounts. Consider renaming highly privileged accounts, such as the Administrator account, to something other than the default. Changing the names of highly privileged accounts to something other than their well-known default names will defeat many automated password-guessing programs.
8. Give additional protection to highly privileged accounts. Make sure the most highly privileged accounts in your enterprise have the longest and most complex passwords with the shortest maximum life.
9. Enable logon screen warning messages. Logon screen warning messages defeat many brute-force password-guessing programs such as TSGrinder because the automated programs don't expect a warning message to appear. You can enable logon screen warnings in Group Policy by navigating the console tree to Computer Configuration\Windows Settings\ Security Settings\Local Policies\Security Options, then double-clicking Interactive logon: Message text for users attempting to log on (and the related Interactive logon: Message title for users attempting to log on).
10. Audit passwords regularly. Finally, try to crack your organization's passwords yourself on a regular basis using some of the password cracking tools mentioned in "Types of Password Attacks." Do it before attackers do it. You can use the results as a compliance test and assist end users who don't follow recommended password policy to change their ways.
Don't Worry About the Experts
If you follow these 10 simple guidelines, the computers on your network will be highly resistant to password attacks—even those by so-called Windows security experts.