Many security "experts" are running around these days mumbling about rainbow tables and telling us how they can crack any Windows password in 2 seconds. "Windows security sucks!" they say. Well, I'm here to tell you that if you take 10 steps to increase password security, would-be intruders can crack all day, but they won't get your Windows logon passwords.
Before you take any action, however, it's a good idea to become familiar with password authentication mechanics and to learn what types of password attacks are in use today. That way, you'll know not only how to protect yourself but also what you're protecting yourself from.
Password Authentication
Although Windows uses many types of authentication credentials (e.g., the Credential Manager cache, trusts, Local Security Authority—LSA—secrets), the 10 tips I provide are specifically for Windows logon passwords. Nevertheless, the lessons learned here often apply to other forms of authentication (e.g., smart cards, biometrics) and other types of authentication credentials.
For users to be authenticated for logon, they must supply their unique network logon identity (i.e., logon name) and password. By supplying a password that only he or she supposedly knows, the user proves ownership of the identity and can request access to protected resources. When a user first sets a password, it's stored in a password credential database. In Windows, there are only two authentication databases: the SAM and Active Directory (AD). The SAM database is used for local logons and for logons to Windows NT domains. The AD database is used for logons to Windows 2000 and later domains.
When the user inputs his or her password, the Windows logon processes (e.g., winlogon.exe, msgina.dll) convert the plaintext password to its password hash equivalent. A good password hash outputs a unique, consistent value for a given password. No two passwords should result in the same output hash. A good password hash also makes converting from the hash back to the original plaintext non-trivial for someone who doesn't know the original password.
Some password hashes, but not Windows', add a random seed value, called a salt, to the hash to ensure that no two passwords produce the same hash. Salting strengthens any password hash and requires additional computations to crack the password, so it's unfortunate that Windows doesn't use a salt.
Windows Password Hashes
The SAM and AD store passwords in their hashed form under the assumption that if the database is compromised, the passwords won't be immediately compromised as well. Fully patched versions of Windows 98 and later OSs are capable of two types of password hashes: LAN Manager (LM) and NT. The LM password hash was invented by IBM and first used by Microsoft more than a decade ago. The LM hash turned out to be a very weak hash algorithm and is easy to compromise. Any skillful password hacker can convert an LM password hash to its plaintext original in seconds.
Microsoft subsequently created the NT hash for NT. Although not uncrackable, the NT hash is significantly more difficult to crack than the LM hash. If a password is sufficiently long and complex (more on that later), a hacker can require days or months to convert the NT hash to its plaintext original. Unfortunately, NT and later versions of Windows by default store both hash values for every password. The simple step of disabling the storage of LM hashes significantly increases your network's password security.
Authentication Protocols
Win2K and later can use four authentication protocols: LAN Manager, NTLM, NTLMv2, and Kerberos. LAN Manager was the original protocol, and if LAN Manager authentication traffic is sniffed off the network, compromising the password is trivial. Microsoft released the NTLM protocol with NT, but that protocol was later found to contain flaws. Microsoft then developed NTLMv2 for Win2K. That version has withstood the test of time and has been ported back to NT and Windows 9x. Password crackers can't easily break NTLMv2 traffic.Win2K and later domain logons use the Kerberos protocol, which uses the NT hash and is fairly secure.
LAN Manager, NTLM, and NTLMv2 use challenge-response authentication. When users or computers submit credentials for verification, they don't send the password or its hash to the authentication service (i.e., SAM or AD). Instead, the server generates a random value, called the challenge, and sends it to the client. The client mathematically manipulates the challenge, using the password hash as a constant, and returns the result, called the response. The server does the same calculation on the challenge and, when that calculation matches the client's response, authenticates the client.
Kerberos uses an entirely different form of authentication based on preauthentication packet exchange. In that process, the Windows logon process converts the user's password to a secret key that's used to encrypt a timestamp, which is then sent to the server. Kerberos uses the timestamp to prevent replay attacks.
The authentication protocol determines the mathematical routine that the client and server use during the challenge-response process. Win2K and later computers must use Kerberos and at least one other authentication protocol. As with password hashes, all authentication protocols are turned on by default. When a client connects to a server, the server and client can negotiate which authentication protocol they'll use. An attacker can force Windows to use the weak LAN Manager or NTLM protocol unless it's disabled. (To learn what tools and techniques password attackers use, see the Web-exclusive sidebar, "Types of Password Attacks," http:// www.windowsitpro.com, InstantDoc ID 49232.)