Password-Cracking Countermeasures

The strongest passwords possible should be implemented to protect against password cracking. Systems should enforce 8–12-character alphanumeric passwords. The length of time the same password should be used is discussed in the next section.
To protect against cracking of the hashing algorithm for passwords stored on the server, you must take care to physically isolate and protect the server. The system administrator can use the SYSKEY utility in Windows to further protect hashes stored on the server's hard disk. The server logs should also be monitored for brute-force attacks on user accounts.
A system administrator can implement the following security precautions to decrease the effectiveness of a brute-force password-cracking attempt:
  • Never leave a default password.
  • Never use a password that can be found in a dictionary.
  • Never use a password related to the hostname, domain name, or anything else that can be found with Whois.
  • Never use a password related to your hobbies, pets, relatives, or date of birth.
  • As a last resort, use a word that has more than 21 characters from a dictionary as a password.
This subject is discussed further in the section "Monitoring Event Viewer Logs," later in this chapter.
In the following sections, we'll look at two measures you can take to strengthen passwords and prevent password-cracking.

Password Change Interval

Passwords should expire after a certain amount of time so that users are forced to change them. If the password interval is set too low, users will forget their current passwords; as a result, a system administrator will have to reset users' passwords frequently. On the other hand, if passwords are allowed to be used for too long, security may be compromised. The recommended password-change interval is every 30 days. In addition, most security professionals recommended that users not be allowed to reuse the last three passwords.
You cannot completely block brute-force password attacks if the hacker switches the proxy server where the source packet is generated. A system administrator can only add security features to decrease the likelihood that brute-force password attacks will be useful.

Monitoring Event Viewer Logs

Administrators should monitor Event Viewer logs to recognize any intrusion attempts either before they take place or while they're occurring. Generally, several failed attempts are logged in the system logs before a successful intrusion or password attack. The security logs are only as good as the system administrators who monitor them.
Tools such as VisualLast aid a network administrator in deciphering and analyzing the security log files. VisualLast provides greater insight into the NT event logs so the administrator can assess the activity of the network more accurately and efficiently. The program is designed to allow network administrators to view and report individual users' logon and logoff times; these events may be searched according to time frame, which is invaluable to security analysts who are looking for intrusion details.
The event log located at c:\\windows\system32\config\Sec.Event.Evt contains the trace of an attacker's brute-force attempts.

No comments:

Post a Comment

Popular Posts