Many of your tips do look like they could be effective.
If you haven't yet, I would want to test any new accounts and passwords that
you create to confirm whether you can use them in Recovery Console mode or
Directory Services Restore mode. My guess is if the character doesn't work
in L0phtcrack or a SAM-cracking utility, they very well might not work in
these modes... and that could leave you with a irreparable server when a
server disaster strikes.
Also, in addition to the problem programs mentioned in the SecurityFocus
article #10, services like IIS and possibly Exchange may have problems
running if you use these special characters in the password or account name.
I will admit to once somehow creating an Exchange 5.5 email account with a backslash in the account name and not being able to delete it from the
Exchange server. Not such a big problem since you shouldn't be using this
account for IIS or Exchange, but a potential problem if someone adds these
characters to other user account names or passwords.
As you already mentioned, naturally these measures wouldn't prevent someone
from undoing these changes that you've made by using a remote buffer
overflow exploit or local privilege escalation or a trojan or cracked
password from another administrator-equivalent account... or from using a
boot disk and physical access to the computer to view the files on the hard
drive.
Last, since you've pointed out these issues, it could be that the next rev
of l0phtcrack might deal with some or all of these characters correctly.
You'd think there would be a way for l0phtcrack to handle these characters
correctly, since if the SAM process can create the hash correctly, lc should
be able to as well.
-----Original Message-----
From: dave [mailto:dave (at) netmedic (dot) net [email concealed]]
Sent: Tuesday, February 18, 2003 2:36 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: [despammed] Defeating password cracking
Simple ways to defeating password recovery boot-disk and password crackers,
on NT/2000 machines.
I was bored and trying different characters that L0phtCrack and other
cracking programs could not detect. While doing so I discovered that by
using these same characters in user names you could prevent the Boot-disk
password changers from being able to change the Admin and other passwords.
If you haven't yet, I would want to test any new accounts and passwords that
you create to confirm whether you can use them in Recovery Console mode or
Directory Services Restore mode. My guess is if the character doesn't work
in L0phtcrack or a SAM-cracking utility, they very well might not work in
these modes... and that could leave you with a irreparable server when a
server disaster strikes.
Also, in addition to the problem programs mentioned in the SecurityFocus
article #10, services like IIS and possibly Exchange may have problems
running if you use these special characters in the password or account name.
I will admit to once somehow creating an Exchange 5.5 email account with a backslash in the account name and not being able to delete it from the
Exchange server. Not such a big problem since you shouldn't be using this
account for IIS or Exchange, but a potential problem if someone adds these
characters to other user account names or passwords.
As you already mentioned, naturally these measures wouldn't prevent someone
from undoing these changes that you've made by using a remote buffer
overflow exploit or local privilege escalation or a trojan or cracked
password from another administrator-equivalent account... or from using a
boot disk and physical access to the computer to view the files on the hard
drive.
Last, since you've pointed out these issues, it could be that the next rev
of l0phtcrack might deal with some or all of these characters correctly.
You'd think there would be a way for l0phtcrack to handle these characters
correctly, since if the SAM process can create the hash correctly, lc should
be able to as well.
-----Original Message-----
From: dave [mailto:dave (at) netmedic (dot) net [email concealed]]
Sent: Tuesday, February 18, 2003 2:36 PM
To: focus-ms (at) securityfocus (dot) com [email concealed]
Subject: [despammed] Defeating password cracking
Simple ways to defeating password recovery boot-disk and password crackers,
on NT/2000 machines.
I was bored and trying different characters that L0phtCrack and other
cracking programs could not detect. While doing so I discovered that by
using these same characters in user names you could prevent the Boot-disk
password changers from being able to change the Admin and other passwords.
[snip]
[ reply ]