Sat, Nov 20 2004 22:36
The last two patches and a Security tweak
Hmmmm..... there's two patches that won't push down from MBSA/Shavlik so I'm doing them manually. The first is the .NET 1.1 sp1 and the second is the 03-31 for the SBSMonitoring SQL/MSDE instance. One tweak I'm putting in place is the “Dr. J Password security tweak“. What? Don't know what I'm talking about?
If you have a full Windows 2000/XP network OR have made your 9x clients use the active directory add on, you can turn off something called Lan Manager Hash. What's that? It's a legacy leftover from IBM that we really don't need to keep turned on if we have up to date networks.
In this KB it talks about how to ensure that this hash is not saved. Why is this important? Because if you've ever played with LC4 or LC5 or John the Ripper, you know how fast and quickly passwords can be retrieved if these hashes are saved. It's mere seconds that someone can retrive your passwords if they are saved in this manner. I've seen LC5 nail a 9 character dictionary word in mere minutes.
- In Group Policy, expand Computer Configuration, expand Windows Settings, expand Security Settings, expand Local Policies, and then click Security Options
- In the list of available policies, double-click Network security: Do not store LAN Manager hash value on next password change
- Click Enabled, and then click OK
So why are passwords important? Let's think of all the ways and places that we rely on password for the first line of defense of security.
- Banks and online banking.
- ATMs and Debit cards and PIN numbers
- Websites and online shopping
Don't you hope that all those places where YOU store passwords would enable that setting too? [Granted you are probably not putting your password into a AD environment when you log in...but you get the point.] What other places do you put passwords in a computer system and probably don't know what procedures they have for protecting them? I've seen places like Tmobile and ATT wireless airport signups demand that the password that I chose matched a secure policy. I don't even want to admit how lame my Amazon.com password is. Hmmmm... reminds me.... I should go change that sucker. Excuse me while I go do that after I just admitted how lame it was :-)
Filed under: Security, Needed Patches/Tweaks