Microsoft Windows XP Professional Resource Kit 2003
ISBN: N/A
EAN: N/A
EAN: N/A
Year: 2005
Pages: 338
Pages: 338
Authentication is an organization s first defense against malicious intruders. As a result, many organizations have implemented stringent validation criteria, including strong passwords and smart cards.
Passwords can be the weakest link in a computer security scheme. Network passwords that once took weeks to break can now be broken in hours. However, it still can take months to crack a strong password. A strong password that is hard to break has the following characteristics:
Contains at least six characters.
Contains characters from each of the following three groups:
Uppercase and lowercase letters (A, a, B, b, C, c, and so on)
Numerals
Symbols (characters that are not defined as letters or numerals, such as !, @, #, and so on)
Contains at least one symbol character in the second through sixth positions.
Is significantly different from prior passwords.
Does not contain your name or user name.
Is not a common word or name.
Windows XP Professional passwords can have up to 127 characters. However, if you use Windows XP Professional on a network that also has computers using Windows 95 or Windows 98, consider using passwords no longer than 14 characters. If your password is longer, you might not be able to log on to your network from those computers.
| Warning | Require users to change passwords frequently. Although a strong password can help protect against intruders, given enough time, automated password-cracking tools can crack any password. Changing passwords can minimize the risk of an intruder determining a password. It also minimizes potential damage when a password is compromised without the user s knowledge. |
By default, Windows XP Professional does not require users with local accounts, including administrators, to have passwords. Users can choose to set passwords on their own accounts, or administrators can assign passwords to users on a local computer.
To protect users who do not password-protect their accounts, Windows XP Professional accounts without passwords can only be used to log on at the physical computer console. By default, accounts with blank passwords can no longer be used to log on to the computer remotely over the network, or for any other logon activity except at the main physical console logon screen. For example, you cannot use the secondary logon service (RunAs) to start a program as a local user with a blank password.
| Caution | If your computer is not in a physically secured location, it is recommended that you assign passwords to all local user accounts. Failure to do so allows anyone with physical access to the computer to log on using an account that does not have a password. This is especially important for portable computers, which should always have strong passwords on all local user accounts. |
Assigning a password to a local account removes the restriction that prevents logging on over a network and permits that account to access any resources it is authorized to access, even over a network connection.
| Note | This restriction does not apply to domain accounts. It also does not apply to the local Guest account. If the guest account is enabled and has a blank password, it will be permitted to log on and access any resource authorized for access by the Guest account. For more information about managing network logons using the Guest account, see Authorization and Access Control in this book. |
If you want to disable the restriction against logging on to the network without a password, you can do so through Local Security Policy. The policy setting that controls blank password restriction can be modified using the Local Security Policy or Group Policy MMC snap-ins. You can use either tool to find this policy option at Security Settings\Local Policies\Security Options. The name of the policy is Accounts: Limit local account use of blank passwords to console logon only. It is enabled by default.
| Caution | Disabling this policy setting might degrade the security of your Windows XP Professional computer. Before disabling this policy setting, ensure that all local accounts have strong passwords, or that the computer is in a secure and trusted environment where it will not be subject to attack. |
You can use User Accounts in Control Panel or the Local Users and Groups MMC snap-in to add and remove local user accounts, add and remove users from groups, and work with passwords. When the Windows XP Professional based computer is connected to a Windows NT or Windows 2000 Server domain, you can use Local Users and Groups to add and remove domain user accounts to local groups. When the Windows XP Professional based computer is not connected to a domain, you can use User Accounts to add and remove local user accounts and assign users to a local group.
To change the password for a user
In Control Panel, open User Accounts. In the User Accounts dialog box, click the user s name, and then click Reset Password.
Enter the new password twice in the Reset Password dialog box.
If desired, type in a word or phrase in the box provided for password hints.
To perform advanced password-related tasks
In the Local Users and Groups MMC snap-in, double-click the Users folder.
Select and right-click the name of the user who has a local account that you want to manage, and then select Properties.
On the user s Properties page, select one or more of the following options:
User must change password at next logon.
User cannot change password.
Password never expires.
Account is disabled.
Account is locked out.
You can use Group Policy to perform more advanced password management tasks, such as setting a minimum password length or the interval between password changes. When you review your password security policies, establish your Account Lockout Policy at the same time. This policy locks a user account after a certain number of incorrect passwords are tried in succession. For more information about password-related policy options, see Account Policies later in this chapter.
| Note | You must log on as an administrator or be a member of the Administrators group to add and delete user accounts, assign users to a local group, and set or change user passwords. |
It is not always desirable to use one set of credentials for access to different resources. For example, when an administrator accesses a remote server, you might want him or her to use administrative rather than user credentials. Similarly, if a user will be accessing external resources such as a bank account, you might prefer that he or she use credentials that are different than their network username and password.
Stored User Names and Passwords in Control Panel simplifies the management and use of multiple sets of logon credentials, including X.509 certificates used with smart cards and Passport credentials. The credentials part of the user s profile are stored until needed. This can increase security on a per-resource basis by ensuring that if one password is compromised it does not compromise all security.
| Note | Microsoft Passport provides a single name, password, and wallet that can be used on multiple Web sites. |
After a user logs on and attempts to access additional password-protected resources, such as a share on a server, and if the user s default logon credentials are not sufficient to gain access, then Stored User Names and Passwords is queried. If alternate credentials with the correct logon information have been saved in Stored User Names and Passwords, these credentials are used to gain access. Otherwise, the user is prompted to supply new credentials, which can then be saved for reuse, either later in the logon session or during a subsequent session.
Several restrictions apply:
If Stored User Names and Passwords contains invalid or incorrect credentials for a specific resource, access to the resource will be denied, and the Stored User Names and Passwords dialog box will not appear.
Stored User Names and Passwords stores credentials only for NTLM, Kerberos, Passport, and SSL authentication. Microsoft Internet Explorer maintains its own cache for basic authentication.
These credentials become an encrypted part of a user s local profile in the \Documents and Settings\Username\Application Data\Microsoft\Credentials directory. As a result, these credentials can roam with the user if the user s network policy supports Roaming Profiles. However, if you have copies of Stored User Names and Passwords on two different computers and change the credentials that are associated with the resource on one of these computers, the change will not be propagated to Stored User Names and Passwords on the second computer.
To store a new user name and password
In Control Panel, open User Accounts.
On computers joined to a domain, click the Advanced tab, click Manage Passwords.
or
On computers not joined to a domain, click the icon that represents your user account, and then, under Related Tasks, click Manage your stored passwords.
Click Add.
Type the appropriate information in the spaces provided.
| Warning | Educate your users about the importance of using strong passwords for all credentials stored in Stored User Names and Passwords. |
To store a Passport ID
In Control Panel, open User Accounts.
On computers not joined to a domain, click the icon that represents your user account, and then, under What do you want to change about your account?, click Create a Passport.
or
On computers joined to a domain, click the Advanced tab, then click .NET Passport Wizard.
Type the appropriate information in the spaces provided.
In the When accessing box, type *.passport.com.
| Warning | Some credentials are used infrequently. Others might be for extremely sensitive resources that the user wants to protect more carefully. When appropriate, have users store credentials for This logon session only. Credentials for a single logon session are typically stored by selecting the appropriate check box in the User Names and Password dialog box. |
Some administrators might not feel comfortable with allowing users to store network credentials for later use. This might be due to concern about reduced security, or a potential increase in the number of account lockouts when credentials stored in User Names and Passwords expire. As a result, a Group Policy setting has been introduced to allow you to limit use of Stored User Names and Passwords.
To limit use of Stored User Names and Passwords
In the Group Policy MMC snap-in, double-click the Security Options folder (Computer Configuration\Windows Settings\Security Settings\Local Policies\ Security Options).
Right-click Network access: Do not allow storage of credentials or .NET Passports for network authentication.
Click Enabled, and then click OK.
Forgetting passwords is one of the most common problems users including administrators encounter on local computers. To prevent users from being locked out of their computers, a Password Reset Wizard has been added to Windows XP Professional. The wizard allows users to create a backup disk, which they can use later to reset their password if they forget their Windows password.
| Note | The ability to back up and restore passwords applies only to local user accounts. It does not apply to network-based passwords and accounts. Also, users can back up passwords only for accounts that they are logged on to. Administrators can create password backups only for their own accounts, not for other users. |
The backup disk does not actually store the user s password that would pose a security risk. Instead, the disk contains a private and public key pair that the backup process generates. A file containing the user s password encrypted with the public key is stored on the computer, but is separate from the Security Accounts Manager database.
The following procedure describes the password backup process, which can be performed when a password is set or at any time the user chooses.
To back up a password
In Control Panel, click User Accounts, and then select your own account.
In the Related Tasks pane, click Create a Password Reset Disk to launch the Password Reset Wizard, and then click Next.
| Note | If the computer is joined to a domain, the domain-based version of User Accounts is used even when the user logs on by using a local account. To access the Password Reset Wizard in this situation, press CTRL-ALT-DEL, click Backup, and then click Next. |
Insert removable media into the drive where the backup key will be stored, and then click Next.
| Note | The backup can be stored only to removable media, not to the local computer. |
In Current User Account Password, in the Current user account password box, type your existing password, and then click Next.
A progress indicator appears. During this phase:
A file containing a 2048-bit public key is created on the local computer. This file is a self-signed certificate containing the SID of the user and the user s password encrypted by the public key.
The certificate and the private key are written to removable media.
Click Finish.
The Password Reset Wizard allows users to backup their passwords without having to create a new backup disk for every password change. Every time a user changes a password, the new password is encrypted using the public key and a function of the previous encrypted password. The encrypted password is then added to a list of previous password changes in the file where the public key resides.
To restore a password, Windows XP Professional includes the Password Reset Wizard, which appears when the user enters an incorrect password. This wizard asks for the drive where the backup disk is located and prompts the user for a new account password. After the new password is entered, the user s private key is retrieved from the backup media, the user s profile is loaded, and the wizard attempts to decrypt the last encrypted password by using the private key. If the process succeeds, the password entered earlier in the process becomes the new password and the user is allowed to access the system. If the decryption fails, the user is informed that the reset disk is invalid and the wizard closes.
| Note | You cannot reset the user password if the hard disk is reformatted or the file containing the chain of encrypted passwords is deleted. |
A smart card is an integrated circuit card (ICC) approximately the size of a credit card. You can use it to store certificates and private keys and to perform public key cryptography operations, such as authentication, digital signing, and key exchange.
A smart card enhances security as follows:
Provides tamper-resistant storage for private keys and other forms of personal identification.
Isolates critical security computations involving authentication, digital signatures, and key exchange from parts of the system that do not require this data.
Enables moving credentials and other private information from one computer to another (for example, from a workplace computer to a home or remote computer.)
A smart card uses a personal identification number (PIN) instead of a password. The smart card is protected from misuse by the PIN, which the owner of the smart card selects. To use the smart card, the user inserts the card into a smart card reader attached to a computer, and then enters the PIN.
A PIN offers more protection than a standard network password. The strength of the password depends on its length, how well it is protected, and how difficult it is to guess. In contrast, a PIN never travels on the network. In addition, smart cards allow a limited number (typically three to five) of failed attempts to key in the correct PIN before the card locks itself. After the limit is reached, entering the correct PIN does not work. The user must contact a system administrator to unlock the card.
Windows 2000 supports industry-standard, Personal Computer/Smart Card (PC/SC) compliant smart cards and Plug and Play smart card readers that conform to specifications developed by the PC/SC Workgroup. To function with Windows 2000 Server and Windows XP Professional, a smart card must conform physically and electronically to ISO 7816-1, 7816-2, and 7816-3 standards.
Smart card readers attach to standard personal computer peripheral interfaces such as RS-232, PC Card, and Universal Serial Bus (USB). Some RS-232 readers have an extra cable that plugs into the PS/2 port to draw power for the reader. However, the reader does not communicate through the PS/2 port. Readers are standard Windows devices, and they carry a security descriptor and a Plug and Play identifier. Smart card readers are controlled by standard Windows device drivers, and you can install and remove them by using the Hardware wizard.
Windows 2000 Server and Windows XP Professional include drivers for various commercially available Plug and Play smart-card readers that are certified to display the Windows-compatible logo. Some manufacturers might provide drivers for noncertified smart card readers that currently work with the Windows operating system. Nevertheless, to ensure continued support by Microsoft, it is recommended that you purchase only smart card readers that display the Windows-compatible logo.
Smart cards can only be used to log on to domain accounts, not local accounts. When you use a password to log on interactively to a domain account, Windows 2000 Server and Windows XP Professional use the Kerberos V5 protocol for authentication. If you use a smart card, the operating system uses Kerberos V5 authentication with X.509 v3 certificates unless the domain controller is not running Windows 2000 Server.
To initiate a typical logon session, a user must prove the user s identity to the KDC by providing information known only to the user and the KDC. The secret information is a cryptographic shared key derived from the user s password. A shared secret key is symmetric, which means that the same key is used for both encryption and decryption.
To support logging on by using a smart card, Windows 2000 Server implement a public key extension to the Kerberos protocol s initial authentication request. In contrast to shared secret key cryptography, public key cryptography is asymmetric; that is, two different keys are needed one to encrypt, another to decrypt. Together, the keys needed to perform both operations make up a private/public key pair.
When a smart card is used in place of a password, a private/public key pair stored on the user s smart card is substituted for the shared secret key derived from the user s password. The private key is stored only on the smart card. The public key can be made available to anyone with whom the owner wishes to exchange confidential information.
In the public key extension to the Kerberos protocol, the client encrypts its part of the initial Authentication Service Exchange (AS Exchange) with the private key and passes the certificate to the KDC. The KDC encrypts the user s logon session key with the public half of the user s key pair. The client then decrypts the logon session key by using the private half of the key pair.
Initiating a smart card logon session involves the following process:
The user inserts a smart card into a card reader attached to the computer.
The insertion of the card signals the SAS just as pressing CTRL+ALT+DEL signals the SAS on computers configured for logging on using a password.
In response, Winlogon dispatches to MSGINA, which displays a modified logon dialog box. In this case, however, the user types only the personal identification number (PIN).
MSGINA sends the user s logon information to the LSA just as it does with a logon session using a password.
The LSA uses the PIN for access to the smart card, which contains the user s private key along with an X509 v3 certificate that contains the public half of the key pair.
The Kerberos SSP on the client computer sends the user s public key certificate to the KDC as pre-authentication data in its initial authentication request.
The KDC validates the certificate, extracts the public key, and then uses the public key to encrypt a logon session key. It returns the encrypted logon session key and a TGT to the client.
If the client owns the private half of the key pair, it can use the private key to decrypt the logon session key. Both the client and the KDC then use this logon session key in all future communications with one another.
| Warning | All cryptographic operations that use these keys take place on the smart card. |
The rest of the authentication process is the same as for a standard logon session.
For information about the types of smart cards and smart card readers supported by Windows 2000 Server and Windows XP Professional, see Compatible Hardware and Software in Windows XP Professional Help and Support Center.
Using Windows XP Professional, you can automate the logon process by storing your password and other pertinent information in the registry. Using this feature, other users can start your computer and use the account you enable to log on automatically.
| Caution | Although enabling autologon can make it more convenient to use Windows XP Professional, using this feature is a security risk. Setting a computer for autologon means that anyone who can physically obtain access to the computer can gain access to all of the computer s contents, potentially including any network or networks it is connected to. A second risk is that enabling autologon causes the password to be stored in the registry in plain text. The specific registry key that stores this value is remotely readable by the Authenticated Users group. As a result, this setting is appropriate only when the computer is physically secured, and unauthorized users are prevented from remotely accessing the registry. |
You can enable autologon by using the following procedure to edit the registry:
| Caution | Do not edit the registry unless you have no alternative. The registry editor bypasses standard safeguards, allowing settings that can damage your system or even require you to reinstall Windows. If you must edit the registry, back it up first and see the Registry Reference in the Microsoft Windows 2000 Server Resource Kit at http://www.microsoft.com/reskit |
To add logon information by editing the registry
In the Run dialog box, type regedit.exe, and then click OK.
Navigate to the registry subkey HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\Windows NT\CurrentVersion\Winlogon
Double-click the DefaultUserName entry.
In the Value data box, type your user name, and then click OK.
If the DefaultPassword entry does not exist, click New on the Edit menu, and then select String Value.
In the Name box, type:
DefaultPassword
Double-click DefaultPassword.
In the Value Data field, type your password.
Double-click AutoAdminLogon, and then enter 1 in the Value data box.
Close the registry editor.
Restart your computer.
Starting the computer now causes the logon process to occur automatically.
On computers running Windows XP Professional that are not members of a domain, the default is for users to see a Welcome screen that includes the names of all users with accounts on the computer. The user s password prompt is revealed when the user clicks his or her name. Because the names of all user accounts are made visible on this Welcome screen, this behavior is less secure than using the CTRL+ALT+DEL user interface.
To disable the Welcome screen and require CTRL+ALT+DEL to be used for logons
In Control Panel, click User Accounts.
Click Change the way users log on or off.
Clear the Use the Welcome screen check box. This also disables the Use Fast User Switching option.
Users will now log on using the CTRL+ALT+DEL user interface.