If effective controls are not in place for providing and removing access to the server, it could result in unnecessary access to system resources. This, in
Interview the system administrator, and review account-creation procedures. This process should include some form of verification that the user has a legitimate need for access. Take a sample of accounts from the password file, and review evidence that they were approved properly prior to being created. Alternatively, take a sample of accounts from the password file, and validate their
Also review the process for removing accounts when access is no longer needed. This process could include an automated feed from the company's
human resources
(HR) system providing information on terminations and job changes. Or the process could include a periodic review and validation of active accounts by the system administrator and/or other knowledgeable managers. Obtain a sample of accounts from the password file, and verify that they are owned by active employees and that those
Most user accounts should be administered
You can view the accounts by opening compmgmt.msc from the command line or with DumpSec using the following syntax:
DumpSec.exe /rpt=users /saveas=fixed /outfile=users.txt
| Note |
Download DumpSec from http://www.somarsoft.com. The same executable that launches the GUI is the one used from the command line. You can include DumpSec in a script by including the binary with your script when you run the script. Learn about the different command-line options by going to the help file under Help Contents and selecting Command-Line options. |
Discuss your findings with the administrator, and pay close attention to accounts that should exist outside the domain. The only accounts that should exist outside the domain are the built-in guest and administrator accounts unless required by an application.
Groups can greatly simplify the provisioning and deprovisioning process for adding or removing user access to systems as users join and leave a team. However, old
Review the contents of the groups on the system for appropriate membership while you're looking through the accounts using the method in the
Additionally, ensure that the IT security team, investigations team, and appropriate support personnel have administrative access to the server. This may not pertain to all organizations, and there may be some exceptions. These should be placed into a group and not added as individual users to the server.
| Note |
Although mentioned previously, it bears repeating that it's common to have exception requests that document exceptions to policy. This is fine as long as the requests are documented with the specific accepted risks and the appropriate management sign-off on the request. Many large organizations require the highest levels of management to sign off on such
|
If passwords on the system are easy to guess, it is more likely that an attacker will be able to break into that account, obtaining unauthorized access to the system and its resources. A key mitigating control for many organizations is the use of
All accounts should have passwords. The
There are several ways to retrieve and test
| Note |
You can download pwdump6 directly from http://www.foofus.net/fizzgig/ pwdump or visit http://www.openwall.com/passwords/microsoft-windows-nt-2000-xp-2003 for this and many other cracking utilities. |
Perhaps the
As for cracking the passwords, once you have the hashes, you can attempt cracking the passwords with one of the password crackers listed un Table 6-4. Several of them also will take the SAM and SYSTEM files as direct inputs, dump the hashes, and perform the crack.
|
Cracker |
Cost |
Comments |
|---|---|---|
|
John |
Free |
Get it from http://www.openwall.com. It's a fast brute-force cracker. John supports dictionaries and is command line. |
|
rcrack |
Free |
Code is originally from Zhu Shuanglei at http://www.antsight.com/zsl/rainbowcrack. Now it's built into a lot of tools such as Cain and Abel (http://www.oxid.it). You must find, generate, or buy tables. |
|
Ophcrack |
Free |
It's sometimes
|
|
plain-text.
|
Free |
Located online at http://www.plain-text.info. |
|
Proactive Password Auditor |
$300-$2500 |
Cost depends on number of user accounts. It's located at http://www.elcomsoft.com/ppa.html. |
|
SAMInside |
$40 |
Located at http://www.insidepro.com. You need your own rainbow tables, but the program supports them. |
Password controls are essential to enforcing password complexity, length, age, and other factors that keep unauthorized users out of a system.
you'll find the account policies as they affect your system by typing rsop.msc at the command line. When the window opens, select Computer Configuration Windows Settings Account Policies. In general, verify that the policies listed in Table 6-5 are set in accordance with your local policies. Some common settings have been listed.
|
Policy |
Setting |
|---|---|
|
Minimum password age |
1 day |
|
Maximum password age |
90 -180 days |
|
Minimum password length |
8
|
|
Password complexity |
Enabled |
|
Password history |
10-20 passwords
|
|
Store passwords using reversible encryption |
Disabled, if possible, but really understand and test this before making this decision |
|
Account lockout duration |
10-30 minutes |
|
Account lockout threshold |
10-20 attempts |
|
Reset account lockout after |
10-30 minutes |
You might try using DumpSec to pull account policies, but make sure that it pulls the specific settings you want. DumpSec doesn't gather everything in Table 6-5.