Ok, just my 2c
I agree with the flick the BIC analogy..
However.. I constantly to talk to clients that complain that their users can
barely login to the windows domain. As Boris pointed out, complex passwords
= decent front end security. Unrealistic for Joe Bloshmo sales rep. He will
always use easy to guess passwords, given the opportunity to choose them on
his own.. assign difficult to guess passwords to him, and he will write them
down. Extending an authentication system that has repeatedly demonstrated
serious security flaws such as the Windows NT authentication (which is the
knee jerk reaction solution from most MIS LAN folk..) (but it shore is
convenient!) This scenario can be improved. -Strong authentication, such as
Security Dynamics Secur-ID solves a lot of the Windows password issues...
Granted, it is not the silver bullet, but it at least establishes a level of
non-repudiation that can be applied throughout an organization...there are
many ways to improve the identification/authorization components within a
network.
blahblahblah!
Frank
-----Original Message-----
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]
Sent: Sunday, June 13, 1999 1:16 AM
To: [EMAIL PROTECTED]
Subject: RE: Why not NT?
Really... brute forcing over the network makes as much sense as baking your
cake with a lighter. Did you ever think about how many possible combination
you
have if your password is somewhere around 13 chars long and contains char's,
numbers, and special chars?
C'mon ... if you want to talk off-topic stuff here about NT then at least
correct statements.
You can NOT disable the built-in administrator account. You certainly can
rename it though. Maybe you should just get familar with the NT security
concept and it's implementation. Also VMS has and had it's security
issues...
and well... I don't think it would be very cool if the system account was
locked out... specially as you can't set a password for it in NT... hmmmm...
I
guess resetting an account that has no password is pretty complicated.
Maybe you didn't observed that NT will wait for some seconds if you typed in
your password repetedly wrong (after 3 times in my case). If there are
10'000'000 possible passwords... and NT would let's say wait for 10 seconds
after every third authentication ... that would result in quiet some time
that
the brute forcing would take... and to be honest... I'm too lazzy to type in
50
passwords even if I know that one of them is the right one.
Brute forcing over the network requires even higher efforts and the chances
are
far smaller if you set your servers up accordingly to the MS security
guidelines (disable Lanman stuff, setting permissions on registry keys and
all
the other fun...)
NT is fine and dany... but obviously not the best platform for all computing
needs... but I agree to a certain part with some of the voices out there
that
stated that the Admin's skills count more than the OS itself...
Cheers
Boris Pavalec [QPB]
Network / System Engineer [MCSE]
Highend Computing Systems
Switzerland - Zuerich
http://www.nt-admin.net
[EMAIL PROTECTED]
-----Original Message-----
From: steele.b [mailto:[EMAIL PROTECTED]]
Sent: Samstag, 12. Juni 1999 00:59
To: firewalls
Cc: steele.b
Subject: UNAUTHENTICATED: Re: RE: Why not NT?
>This is not a security bug... this is by design... else an attacker could
>simply go through every account and type in 4 or 6 wrong passwords and you
>probably wouldn't be able to log on to your NT systems even if you had the
>right password.
IMO, this is one thing that I DON'T like about NT. You're basically
substituting one security problem for another. By NOT allowing the
Administrator account to be locked out, an NT box is open to a brute-force
password attack against that account. Of course many admins get around this
problem by simply disabling the Administrator account and using another
account for administration tasks.
VMS tackles this problem quite cleverly, I think. Not only does it lock out
accounts (including the SYSTEM account - except if the logon is taking place
on the operator console), but it will lock out the remote device if many
invalid login attempts start to originate from that device.
Brian Steele
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
