MCSE Boot Training Camp
Account Lockout and Password Concepts
Passwords are an important step in a security plan
for your network. Users may see passwords as a
nuisance; however, the security of your enterprise
relies on a combination of password length, password
uniqueness, and password lifespan. These three items
help defend against dictionary attacks and brute
force attacks. A dictionary attack occurs when a
malicious user tries known words that are in the
dictionary and a number of common password names to
try and guess a password. A brute force attack
occurs when a malicious user tries all of the
possible permutations until one is successful.
Because most users prefer passwords that they can
easily remember, dictionary attacks are often an
effective method for a malicious user to find a
password in significantly less time than they would
with brute force attacks. Therefore, the strength of
a password depends on how many characters are in the
password, how well the password is protected from
being revealed by the owner, how well the password
is protected if it is intercepted by a malicious
user on the network, and how difficult the password
is to guess. Even good passwords that are protected
by cryptography on the network and that are not
subject to dictionary attacks can be discovered by
brute force in a few weeks or months by a malicious
user who intercepts the password on the network.
Currently, several attack methods are based on
guessing weak passwords by using dictionary and
brute force attacks. For a few simple ways to help
prevent these attacks, see "Protecting from External
Lockout Denial of Service Attacks" in this document
for ports to block and registry values that you can
set to help prevent such attacks.
Frequently, a malicious user will guess a number
of passwords during a password-based attack. To help
prevent the attacks from being successful, you can
configure account lockout settings. The result of
this configuration is that the associated account is
temporarily disabled after a specified number of
incorrect passwords are tried. This helps to prevent
a successful attack by preventing the account from
being used. However, a legitimate user cannot use
that account until it is unlocked. This paper
discusses the balance between the benefits and risks
of account lockout. Understanding Password Complexity
A complex password that is enforced by the operating
system is one of the most effective methods that you
can use to deter the opportunity for a successful
attack. When you configure both an expiration time
and a minimum length for a password, you decrease
the time in which a successful attack could occur.
For example, when you enforce password complexity
with a password length of 6 and set the password to
expire in 60 days, a user can choose from a
permutation of:
| • |
26 lowercase characters |
| • |
26 uppercase characters |
| • |
32 special characters |
| • |
10 numbers |
This means that:
| • |
26 + 26 + 32 + 10 = 94
possible characters in a password |
| • |
Password length policy
= 6 |
| • |
946
= 689,869,781,056 unique password
permutations |
With a 60-day password expiration time, the
malicious user would have to make 133,076 password
attempts every second to attempt all of the possible
passwords during that password's limited lifetime.
If it takes only 50 percent of the permutations to
guess the password, a malicious user would have to
attempt to log on to the computer about 66,538
(133,076 * .50) times every second to discover the
password before it expires.
To decrease the chances that a malicious user has
to discover the password, you can use a password
length of 7. When you set the minimum password
length to 7, the possible password permutations
exceed 64 trillion (947= 64,847,759,419,264). When
you compare the calculations above that have a
password length of 6 to the calculations below that
have a password length of 7, you will notice that
the malicious user would have to log on to the
computer about 6,254,606 times for each second that
the password is valid in the 60-day expiration time
that you set.
The following list describes how increasing
password length deters both dictionary and brute
force attacks. Note that the examples that are in
this list assume that you are have applied a policy
that requires users to create complex passwords.
When you do this, there are 94 possible characters
from which the users can choose their password.
| • |
6 characters: 9466
= 689,869,781,056 |
| • |
7 characters: 9477
= 64,847,759,419,264 |
| • |
8 characters: 9488
= 6,095,689,385,410,816 |
| • |
9 characters: 9499
= 572,994,802,228,616,704 |
| • |
10 characters: 941010
= 53,861,511,409,489,970,176 |
These statistics explain how difficult it is for
a malicious user to discover a password when you
require the users in your network to use a complex
password. Because of this, Microsoft recommends that
you enforce a complex password policy that requires
users to choose passwords with a specific number of
characters for the security needs of your
organization. The "Password Policies Settings"
section in this document describes the complex
password policies and settings for Microsoft®
Windows NT® Server 4.0, the Windows® 2000 family,
and the Windows Server 2003 family of operating
systems.
Microsoft recommends that you use the account
lockout feature to help deter malicious users and
some types of automated attacks from discovering
user passwords. The following section provides more
information about how you can use the account
lockout feature. Authentication
Authentication is the process of validating a user
name and password on a domain controller for:
| • |
The initial logon to
either a workstation or domain that uses the
CTRL+ALT+DELETE secure logon sequence. |
| • |
An attempt to unlock a
locked workstation by using the
CTRL+ALT+DELETE secure logon sequence. |
| • |
An attempt to type a
password for a password-protected screen
saver. |
| • |
A user, script,
program, or service that attempts to connect
to a network resource by using either a
mapped drive or a Universal Naming
Convention (UNC) path. |
There are two primary authentication protocols
used by Windows: NTLM and Kerberos. This paper
assumes you are familiar with these authentication
protocols and does not focus on authentication
details. Instead, the focus is placed on how
authentication plays a role in account lockout. For
more information about authentication protocols, see
online help in Windows XP and the Windows
Server 2003 family.
|
Vibrant
CCNP Boot camp
offers Payless MCSE boot camp, Payless MCSE training boot camp,
Payless MCSE certification boot camp, Payless MCSE Cisco Boot camp,
Payless MCSE Certification training boot camp. Payless MCSE Training
certification boot camp, Payless MCSE Boot Training Camp, Payless
MCSE boot certification camp, Payless MCSE UK Boot camp, Payless
MCSE san Mateo Boot camp, Payless MCSE Japan boot camp, Payless MCSE
USA Boot camp, Payless MCSE Europe Boot camp, Payless MCSE
guaranteed boot camp.
- Do you want to
become Real MCSE, CCNA or CCNP certified?
- Do you want to
Payless for certification?
- Do you want to
finish in 2/3 weeks?
|
