People often compare the many levels of Windows NT security to layers of an onion. One of the outermost layers of the onion is the many checks that NT performs before letting users log on. You can protect your network from many risks if you don't let unauthorized users log on. You can secure NT's logon policies in three areas:
- Global policies in the SAM database. These policies affect all users in a computer's or domain's SAM.
- User-specific policies in user accounts. You can specify different policies for different users.
- Values in the registry. You can affect a user's logon process by tweaking the registry.
Global Policies
Global policies let you enforce password policies and lock out accounts when NT detects someone trying to guess a password. These policies are called global because they affect all the user accounts in the SAM to which you're connected through User Manager for Domains. Depending on the SAM you're editing, you might be defining policies for all the users in your domain or just the local accounts on one computer. Each NT workstation and member server has a local SAM in which you can define local user accounts that are valid on that computer only. (For more information about the differences between local and domain SAMs, see "Related Articles in Previous Issues.")
To set global account controls, open User Manager for Domains and select Policy, Account on the menu bar. Figure 1, page 64, shows the Account Policy dialog box that appears. At the top of the dialog box, notice the word Computer, which specifies that you're working with the specified computer's local SAM. If the dialog box says Domain, you're working with a domain SAM.
By setting the Password Restrictions options in the Account Policy dialog box, you can impose password-management best practices on your users. Understanding and setting password restrictions is important because users are typically pretty careless with passwords. You can protect passwords three ways: require that users create hard-to-guess passwords, make users change their passwords regularly, and set account-lockout policies.
Create hard-to-guess passwords. By setting the Minimum Password Length option, you can require that users create hard-to-guess passwords. For most environments, I recommend that you set the minimum length to 7. Because of an arcane vulnerability in how NT hashes passwords, I don't recommend more than 7 unless you go all the way up to 14. If you can train users to use a random sequence of 7 letters, numbers, and symbols, you'll have passwords that are quite strong. However, imposing a minimum password length doesn't guarantee hard-to-guess passwords because users can just repeat the same letter or number seven times. If you really want to require passwords that are hard to guess, you need to use a password filter, such as the Passfilt or Passprop utility in the Microsoft Windows NT Server 4.0 Resource Kit. Both utilities require users to create passwords that include a combination of letters, numbers, symbols, and case.
Just requiring users to create hard-to-guess passwords isn't enough. You also need to back up this requirement with written policies that demonstrate management's support for the requirement, training sessions that teach users how to select and remember strong passwords, and a monthly or quarterly audit of passwords with a utility such as @stake's L0phtCrack 4.0 (LC4). You might even consider using an acceptable use policy to help remove the temptation to write down passwords. Acceptable use policies document the company's expectations about the proper use of its computers. Such policies also provide legal recourse (e.g., termination of employment, recovery of related loss) in the event someone breaches the policy.
Previous
Larry Heberlein January 15, 2004