No matter what operating systems you use on your networked computers, you probably use passwords to control user access to specific resources. There are some sophisticated identification tools available for those networks that require extraordinary amounts of security. For example, one security mechanism requires that a smart card—a credit card–like device with a magnetic strip—be run through a card reader connected to a computer for a user to access the network. There are also biometric devices on the market that can identify users by scanning unique physical characteristics, such as thumbprints or retina patterns. However, most networks don't require such elaborate security measures. Instead, most network administrators require users to supply passwords to access network drives, server applications, and other resources.
Using passwords can be an excellent method of securing network resources, or it can be worse than useless. The usefulness of password protection is largely determined by the policies that the network's administrators establish to govern the creation of passwords. When administrators give users too much freedom to create their own passwords, the users' tendencies are to specify short, simple passwords that are easy to remember, and to rarely, if ever, change them. For example, some users create passwords that are the same as their user names or that consist of letters or numbers that are easy to guess, such as their initials or their birthday. Others use no password at all. This defeats the purpose of having a password because these are the first things that an unauthorized user will try to guess.
Of course, it is also possible to carry password assignment to the opposite extreme. Some administrators assign passwords to their users. This ensures the selection of better passwords, but it can backfire as well. If a security-conscious administrator decides to assign passwords that consist of long, random sequences of letters and numbers, users are likely to have trouble remembering them. As a result, users often write down their passwords and leave them in obvious places, such as taped to their monitors. This solution is no better than creating a bad password in the first place and it adds to the administrator's workload.
There is a middle ground between these two extremes, however. Most operating systems provide network administrators with tools they can use to impose password policies on their users, such as forcing them to choose passwords of a specific length and change them at regular intervals. This enables users to select their own passwords within parameters established by the administrator. The results are a password that the user can remember more easily and less work for the network administrator. Setting effective password policies requires psychological as well as technological insight. The idea is to set policies that are strict enough to maintain adequate security without inciting open revolt from users. Some of these password policy tools are discussed in the following sections.
Password policies are typically available in network operating systems that use some kind of directory service to authenticate users and grant them access to network resources. For example, you can set password policies on Windows 2000 and Microsoft Windows NT domain controllers and Novell NetWare servers, but you won't find them in Microsoft Windows Me, Microsoft Windows 98, or Microsoft Windows 95.
When you create a new user account in Windows 2000 or Windows NT, you are presented with a series of check boxes that you can use to control the most basic elements of the password policies for the account, as shown in Figure 13.1.
Figure 13.1 The Windows 2000 New Object – User dialog box
The following check boxes are used to control the account's password policies:
When given free rein to choose any passwords they like, many users opt for short passwords because they are easier to remember and type. Some users even elect to use no password at all. Because short passwords are easier to remember, however, they are also easier to guess. One of the most basic password policies provided in most network operating systems is the ability to specify a minimum password length. A longer password is mathematically more difficult to decipher. The Windows 2000 directory service, Active Directory service, supports passwords of up to 104 characters, although passwords this long would hardly be practical. Windows NT supports passwords of up to 14 characters. Generally speaking, a minimum password length of five or six characters is suitable for most networks. Some organizations requiring greater security might force users to specify passwords of eight characters or more.
As with all password policies, length requirements are implemented by operating systems in various ways. In Windows 2000, you set password restrictions using the Group Policy feature. You can apply policies to particular domains or organizational units, as needed, using the interface shown in Figure 13.2. When you activate the Minimum Password Length policy, you specify the minimum number of password characters using the Security Policy Setting dialog box shown in Figure 13.3.
Figure 13.2 The Domain Security Policy dialog box is one of the places where you can implement group policies
Figure 13.3 This Security Policy Setting dialog box controls the Minimum Password Length policy
All of the policies listed in the Domain Security Policy dialog box have their own Security Policy Setting dialog boxes, which you use to enable and configure the individual policies. These dialog boxes have different types of controls, depending on the function of the policy.
Another important factor in password security is the regular changing of passwords. Users sometimes give out their passwords to other users for the sake of convenience and rarely remember to change them afterward. By requiring changes at regular intervals, you prevent passwords from becoming common knowledge. In a typical implementation of this feature, the user sees a special dialog box when logging on after the change interval has expired. The dialog box forces the user to specify a new password before being granted access to the network or other resources.
As explained earlier in this lesson, some administrators assign an initial password to an account to keep it secure and then force users to change that password during their first logon. Along those lines, in Windows 2000 you can configure a Group Policy called Maximum Password Age that forces users to change their passwords at intervals of a specified number of days, as shown in Figure 13.4. A typical setting for this policy ranges anywhere from a week to a month, depending on your security needs.
Figure 13.4 This Security Policy Setting dialog box controls the Maximum Password Age policy
Some users become attached to a particular password, however, and resent having to change it. As a result, these users might change their passwords as directed and then immediately try to change them back to their original values. Windows 2000 anticipates this behavior, however, and includes two additional policies that help to reinforce your intentions. The Enforce Password History policy enables you to specify the number of previous passwords that the operating system is to remember for each user. When users change their passwords as required by the Maximum Password Age policy, they cannot reuse any of the previous passwords stored in the history. This prevents users from switching back and forth between two passwords when they make the required changes. The Minimum Password Age policy forces users to wait for a specified number of days after changing their passwords before they can change them again. This prevents users from rapidly changing their passwords several times in a few minutes in an attempt to outmaneuver the history feature.
When intruders try to crack passwords, they often begin by making a series of guesses based on what they can find out about the person whose account they are trying to access. Names of spouses and children, birthdays, initials, and other bits of common knowledge make bad passwords because it usually isn't too difficult for someone to find them out. Less obvious items, such as the name of the pet rabbit you had when you were younger, make better passwords, but it is better still to make your passwords more complex by mixing up the characters in them. For example, most operating systems use passwords that are case sensitive, so mixing uppercase and lowercase letters (in a pattern that isn't too obvious) can make a simple password much harder to guess. FluFFy is much better than fluffy, for example.
It is also important to remember that mixed-case letters also make a password harder to type, so don't overdo it.
You can usually use numbers and certain symbols as well as uppercase and lowercase characters in passwords. Adding these elements to your passwords can make them much more difficult to guess. FluFFy_9 is an even better password than FluFFy. Another technique is to take a sentence that's easy to remember and use the first letter of each word to form a password, converting some words to numbers in the process. For example, the sentence "I eat fish for dinner every Friday" can become Ief4deF, a password that is extremely difficult to guess.
A policy that forces users to specify complex passwords like these is not as common as the other features discussed thus far. You can configure both Windows 2000 and Windows NT to require complex passwords, although in the case of Windows NT, you have to install the password filter module (PASSFILT.DLL) yourself. When you enable the Passwords Must Meet Complexity Requirements policy in the Security Policy Setting dialog box shown in Figure 13.5, the passwords that users supply for their accounts must meet the following criteria:
Figure 13.5 This Security Policy Setting dialog box controls the Passwords Must Meet Complexity Requirements policy
Most operating systems store user passwords in encrypted form so that a potential intruder can't discover them by using a disk-editing program to read the contents of the drive on which they are stored. The encryption algorithm used on the passwords in a Windows 2000 system is not reversible by default. However, if necessary, you can enable the Store Password Using Reversible Encryption For All Users In The Domain policy to use an encryption method that can be reversed to recover forgotten passwords.
Given a sufficient number of guesses, a motivated intruder can figure out any password. This is known as the brute force method. Most operating systems include an account lockout feature that prevents anyone from repeatedly trying to guess the password to a given account. In Windows 2000, there are three policies that control the lockout features, as shown in Figure 13.6.
Figure 13.6 The Account Lockout Policy security settings
The policies that control the lockout features are as follows:
For each of the characteristics in the left column, specify which of the policies in the right column best applies to it.
|
|