Hi Folks
I am not sure if Lance used L0pht tool to crack the traffic over the
network. If it is so, Lance can set the level encryption over his network by
setting the types of challenge-response authentication. You can go to the KB
article Q147706.
BTW, if Lance was cracking the passwords from the SAM. Lance can enable
SYSKEY protection.
Finally, taking the opinion of Ben, you can set to your NT server to force
the users to write "complex passwords", you can download the tool passprop.
Over Windows 2000, you only need set your Local Security Police to
"complicate password".
If you want to be sure about me, go to
http://www.microsoft.com/technet/security/mbrsrvcl.asp
Merry Christmas!
Guzheng
>
>Hi Lance,
>
>The Kerberos stuff is only a replacement for the venerable NTLM and even
>more venerable Lanmanager. It is my impression that the SAM was still
>stored
>in the same hashing manner in Win2K unless you use the strong encryption
>option for the entire SAM (which is a pain). But remember, ANY hashing
>algorithm is vulnerable to a guessing attack - l0phtcrack would work just
>as
>well attacking SHA-1 passwords as MD4 or MD5. The only time delta would be
>the speed of the encryption.
>
>In any case, Kerberos is vulnerable to password guessing attacks as well -
>take a look at the protocol. Kerberos does many good things, but removing
>the need to use strong passwords is NOT one of them.
>
>I initially had a hard time believing that L0phtcrack broke that password,
>but when you do the numbers (as Chris did) it's obviously well within the
>realms of possibility for a modern box.
>
>My "secure" NT password philosophy still madates at least 14 characters
>with
>some non-alphanums.
>
>Obscure Gem: Under NT you can use non-printable / typable characters in
>your
>passwords. You enter then with ALT+[NUM]. I'm not even sure L0phtcrack has
>an option to try those, does it?
>
>Cheers,
>
>--
>Ben Nagy
>Marconi Services
>Network Integration Specialist
>Mb: +61 414 411 520 PGP Key ID: 0x1A86E304
>
> > -----Original Message-----
> > From: Lance Ecklesdafer [mailto:[EMAIL PROTECTED]]
> > Sent: Thursday, 21 December 2000 4:37
> > To: Carl Ma; [EMAIL PROTECTED]
> > Subject: Re: NT password encryption & name service
> >
> >
> > Precisely why you should run Windows 2000 networks in native
> > mode and use
> > Kerberos V5 as the preferred authentication method. The mixed
> > mode operation
> > of this DC (In Windows 2000 there is no PDC or BDC .. all
> > controllers are
> > equal peers). You cannot run a Windows 2000 domain in native
> > mode untill ALL
> > domain controllers are converted to Windows 2000. The clients
> > will all have
> > to be able to do Kerberos authentication as well. The Windows 2000
> > Professional Workstation software uses Kerberos V5 in a
> > Wndows 2000 native
> > mode domain. As long as you are running Windows NT 4.0
> > servers as domian
> > controllers on Windows 2000 domains, you have to run in mixed
> > mode. The
> > mixed mode operation of Windows 2000 domain has the same
> > security weakness
> > of the NTLM authentication method. If this were native mode
> > Windows 2000
> > ( I am assuming that it is not) the cracking attempt would
> > have been much
> > less successful.
> >
> > Lance
> > ----- Original Message -----
> > From: "Carl Ma" <[EMAIL PROTECTED]>
> > To: <[EMAIL PROTECTED]>
> > Sent: Wednesday, December 20, 2000 12:00 PM
> > Subject: NT password encryption & name service
> >
> >
> > > Hello all,
> > >
> > > After running password cracking program on our W2000 PDC server, 98%
> > passwords
> > > are cracked out, even some very complicate passwords like -
> > X1#!h0a_.
> > >
> > > Is it attribute to the W2000 encryption method? I would
> > like to persuade
> > my boss
> > > using LDAP as name service. Appreciate any information &
> > idea! I will
> > summarize.
> > >
> > > Thanks & Merry Christmas!
> > >
> > > carl
> > >
> > > -
> > > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > > "unsubscribe firewalls" in the body of the message.]
> > >
> >
> >
> > -
> > [To unsubscribe, send mail to [EMAIL PROTECTED] with
> > "unsubscribe firewalls" in the body of the message.]
> >
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
_________________________________________________________________________
Get Your Private, Free E-mail from MSN Hotmail at http://www.hotmail.com.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
