MCSE Boot Training Camp

Account Lockout and Password Concepts

Passwords are an important step in a security plan for your network. Users may see passwords as a nuisance; however, the security of your enterprise relies on a combination of password length, password uniqueness, and password lifespan. These three items help defend against dictionary attacks and brute force attacks. A dictionary attack occurs when a malicious user tries known words that are in the dictionary and a number of common password names to try and guess a password. A brute force attack occurs when a malicious user tries all of the possible permutations until one is successful.

Because most users prefer passwords that they can easily remember, dictionary attacks are often an effective method for a malicious user to find a password in significantly less time than they would with brute force attacks. Therefore, the strength of a password depends on how many characters are in the password, how well the password is protected from being revealed by the owner, how well the password is protected if it is intercepted by a malicious user on the network, and how difficult the password is to guess. Even good passwords that are protected by cryptography on the network and that are not subject to dictionary attacks can be discovered by brute force in a few weeks or months by a malicious user who intercepts the password on the network.

Currently, several attack methods are based on guessing weak passwords by using dictionary and brute force attacks. For a few simple ways to help prevent these attacks, see "Protecting from External Lockout Denial of Service Attacks" in this document for ports to block and registry values that you can set to help prevent such attacks.

Frequently, a malicious user will guess a number of passwords during a password-based attack. To help prevent the attacks from being successful, you can configure account lockout settings. The result of this configuration is that the associated account is temporarily disabled after a specified number of incorrect passwords are tried. This helps to prevent a successful attack by preventing the account from being used. However, a legitimate user cannot use that account until it is unlocked. This paper discusses the balance between the benefits and risks of account lockout.

Understanding Password Complexity

A complex password that is enforced by the operating system is one of the most effective methods that you can use to deter the opportunity for a successful attack. When you configure both an expiration time and a minimum length for a password, you decrease the time in which a successful attack could occur. For example, when you enforce password complexity with a password length of 6 and set the password to expire in 60 days, a user can choose from a permutation of:

•	26 lowercase characters
•	26 uppercase characters
•	32 special characters
•	10 numbers

This means that:

•	26 + 26 + 32 + 10 = 94 possible characters in a password
•	Password length policy = 6
•	94⁶ = 689,869,781,056 unique password permutations

With a 60-day password expiration time, the malicious user would have to make 133,076 password attempts every second to attempt all of the possible passwords during that password's limited lifetime. If it takes only 50 percent of the permutations to guess the password, a malicious user would have to attempt to log on to the computer about 66,538 (133,076 * .50) times every second to discover the password before it expires.

To decrease the chances that a malicious user has to discover the password, you can use a password length of 7. When you set the minimum password length to 7, the possible password permutations exceed 64 trillion (947= 64,847,759,419,264). When you compare the calculations above that have a password length of 6 to the calculations below that have a password length of 7, you will notice that the malicious user would have to log on to the computer about 6,254,606 times for each second that the password is valid in the 60-day expiration time that you set.

The following list describes how increasing password length deters both dictionary and brute force attacks. Note that the examples that are in this list assume that you are have applied a policy that requires users to create complex passwords. When you do this, there are 94 possible characters from which the users can choose their password.

•	6 characters: 946⁶ = 689,869,781,056
•	7 characters: 947⁷ = 64,847,759,419,264
•	8 characters: 948⁸ = 6,095,689,385,410,816
•	9 characters: 949⁹ = 572,994,802,228,616,704
•	10 characters: 9410¹⁰ = 53,861,511,409,489,970,176

Note:

A few of these password possibilities are not valid. By default, users cannot choose any part of their user name for their password and they cannot use all of the same characters as a password. Because of this, these password possibilities must be deducted from the total number of possible passwords that are listed above. Because there are very few passwords that apply to these exceptions and because the number of passwords that do apply to these exceptions can vary (based on the number of letters that are in the user's logon name), this document does not account for these exceptions.

These statistics explain how difficult it is for a malicious user to discover a password when you require the users in your network to use a complex password. Because of this, Microsoft recommends that you enforce a complex password policy that requires users to choose passwords with a specific number of characters for the security needs of your organization. The "Password Policies Settings" section in this document describes the complex password policies and settings for Microsoft® Windows NT® Server 4.0, the Windows® 2000 family, and the Windows Server 2003 family of operating systems.

Microsoft recommends that you use the account lockout feature to help deter malicious users and some types of automated attacks from discovering user passwords. The following section provides more information about how you can use the account lockout feature.

Authentication

Authentication is the process of validating a user name and password on a domain controller for:

•	The initial logon to either a workstation or domain that uses the CTRL+ALT+DELETE secure logon sequence.
•	An attempt to unlock a locked workstation by using the CTRL+ALT+DELETE secure logon sequence.
•	An attempt to type a password for a password-protected screen saver.
•	A user, script, program, or service that attempts to connect to a network resource by using either a mapped drive or a Universal Naming Convention (UNC) path.


	An account that is locked out may still be able to gain access to some resources if the user has a valid Kerberos ticket to the resource. The ability to access the resource ends when the Kerberos ticket expires. However, neither a user who is locked out nor a computer account can renew the ticket. Kerberos cannot grant a new ticket to the resource because the account is locked out.

There are two primary authentication protocols used by Windows: NTLM and Kerberos. This paper assumes you are familiar with these authentication protocols and does not focus on authentication details. Instead, the focus is placed on how authentication plays a role in account lockout. For more information about authentication protocols, see online help in Windows XP and the Windows Server 2003 family.

Vibrant CCNP Boot camp offers Payless MCSE boot camp, Payless MCSE training boot camp, Payless MCSE certification boot camp, Payless MCSE Cisco Boot camp, Payless MCSE Certification training boot camp. Payless MCSE Training certification boot camp, Payless MCSE Boot Training Camp, Payless MCSE boot certification camp, Payless MCSE UK Boot camp, Payless MCSE san Mateo Boot camp, Payless MCSE Japan boot camp, Payless MCSE USA Boot camp, Payless MCSE Europe Boot camp, Payless MCSE guaranteed boot camp.

Do you want to become Real MCSE, CCNA or CCNP certified?
Do you want to Payless for certification?
Do you want to finish in 2/3 weeks?

Click here to continue :

MCSA : MCSE : MCSE + Security : CCNA : CCNP : Bootcamp : MCSE training : Vibrant MCSE : Vibrant CCNA : Vibrant CCNP : camp :
Home : links : Resources : Ref1 : Ref2

MCSE CCNA CCNP boot camp, #1 Bootcamp Training Institute in UK, USA

MCSE Guide

Free MCSE
Free MCSE Training
MCSE
MCSE 2003
MCSE Books
MCSE Boot Camp
MCSE Brain dumps
MCSE Certification
MCSE Exam
MCSE Free
MCSE Jobs
MCSE Logo
MCSE Online
MCSE Online Training
MCSE Practice
MCSE Practice Exams
MCSE Practice Tests
MCSE Requirements
MCSE Resume
MCSE Salary
MCSE Self Paced Training Kit
MCSE Study
MCSE Study Guide
MCSE Study Guides
MCSE Test
MCSE Testing
MCSE Training
MCSE Training Kit
MCSE Training Video
MCSE Windows 2003
Microsoft MCSE Training
Training MCSE
Windows 2003 MCSE

MCSE : Security Specialist

OS Fundamentals part 1

1.1 Identify the operating system’s functions, structure, and major system files to navigate the operating system and how to get to needed technical information.

Major Operating System functions

Create folders In explorer click on the drive or folder you want to create the new folder in, next choose the file menu, click new, and then folder.
Checking OS Version

Windows 3.x or Windows NT 3.51

From program manager click help, and about to get version, or from DOS type winver.

Windows 95/98/ME/2000/CE

Control Panel /System / in the General tab. Or right click My Computer Icon, or from a DOS prompt type ver.

Windows NT 4.0

You need administrator or Power User rights , /Administrative Tools / Windows NT Diagnostics / Under the version tab. This will tell you the Version of NT also which service pack is installed.

Major Operating System components
Explorer.exe is the default shell of Windows, just as command.com is the shell of DOS. Explorer controls all direct interaction between the user and windows. It determines what you see on the screen and what you use to work with it. The desktop, my computer, start menu, and the windows explorer file manager etc. are all part of explorer.

My Computer When you double click the icon you can access drives, printers, and other systems folders from here. Also by right clicking a drive icon in my computer, you can access sharing (if file and print sharing is enabled) where you can set security for that drive.

If you right click the icon for my computer on the desktop, and select properties you can access version info, the device manager, hardware manager, and system performance settings.

Control Panel

Accessibility Options. You can adjust keyboard, sound, display, mouse, and other settings easier to use for people with disabilities.

Add New Hardware. Use this wizard to configure newly installed hardware through auto detection or by selecting the corresponding driver from a list.

Add/Remove Programs. You can install/uninstall programs from here. Add components from the Windows setup disks, or create a new startup disk.

Display. Change background and screen saver choices. Modify settings for on-screen fonts, colors, color palette, and so on.

Fonts. View installed fonts or install new fonts.

Passwords. Change Passwords, security options, enable/disable remote administration.

Keyboard. Change options for the style of keyboard you use and for the rate at which the characters you type are displayed.

Modems. Add a new modem. Also use this tool to configure or diagnose installed modems.

Mouse. Change mouse or pointer options.

Multimedia. Change options for audio playback and recording, MIDI output and schemes, and CD playback volume. Use the Advanced properties to install or configure multimedia hardware, drivers, and codecs.

Printers. Add a new printer or configure existing printers.

Sound. Create or modify sound events for windows.

Network Settings. Configures network hardware/software

Regional Setting. Change how numbers, dates, currency, and time are displayed

System. Information about hardware on your computer.

Our MCSE 2003: Security+ Program:

Allows you to achieve your certifications in a fraction of the time of 'traditional training' while delivering industry-leading exam passing percentages

Helps students grasp complex technical concepts more easily by identifying and catering to individual student learning styles through a mixed visual, auditory and kinesthetic-tactual delivery system

Enhances retention by employing accelerated learning techniques focused on committing information to long-term memory

Albany, New York Albuquerque, New Mexico Alexandria, Virginia Anchorage, Alaska Atlanta, Georgia Austin, Texas Baltimore, Maryland Birmingham, Alabama Bismarck, North Dakota Boise, Idaho Boston, Massachusetts Charlotte, North Carolina Cheyenne, Wyoming Chicago, Illinois Cincinnati, Ohio Cleveland, Ohio Columbus, Ohio Concord, New Hampshire Dallas, Texas Denver, Colorado Des Moines, Iowa Detroit, Michigan Ft. Lauderdale, Florida Ft. Wayne, Indiana Honolulu, Hawaii Houston, Texas Huntsville, Alabama Indianapolis, Indiana Jackson, Mississippi Jackson, Wyoming Jacksonville, Florida Lexington, Kentucky Lincoln, Nebraska Los Angeles, California Las Vegas, Nevada Miami, Florida Milwaukee, Wisconsin Minneapolis, Minnesota Montpelier, Vermont Nashville, Tennessee New Orleans, Louisiana New York City Norfolk, Virginia Oklahoma City, Oklahoma Omaha, Nebraska Orlando, Florida Philadelphia, Pennsylvania Phoenix, Arizona Pierre, South Dakota Pittsburgh, Pennsylvania Portland, Maine Portland, Oregon Providence, Rhode Island Raleigh-Durham, North Carolina Richmond, Virginia Rockford, Illinois Sacramento, California St. Louis, Missouri Salt Lake City, Utah San Antonio, Texas San Diego, California San Francisco, California San Jose, California Sandestin, Florida Seattle, Washington Tulsa, Oklahoma Wichita, Kansas Wilmington, Delaware Canada Ontario British Columbia Vancouver. Toronto Montreal Calgary Winnipeg Quebec City Ottawa Edmonton.