Windows uses a variety of authentication mechanisms to protect passwords between the client and the server. Passwords can be stored in hashed form (LM or NTLM) to prevent easy interception, and four different authentication protocols are used to securely transport logon credentials. Passwords can be compromised through social engineering, guessing, brute force, or cracking. Five recommendations can significantly limit a network's exposure risk to password cracking:
Disable LM password hash storage
Require long, complex passwords
Enable Account Lockouts
Disable LM and NTLM authentication
Force moderately frequent password changes
With a handful of changes, the threat of successful password cracking can be removed. Chapter 5 deals with protecting high-risk files from exploitation.