Moderator: John (Microsoft)
Welcome to today's chat on Account Passwords and Security Policies in Windows Server 2003. We have a great line-up of hosts ready to take your questions. Let's take a moment and introduce them.

Host: Mike (Microsoft)
Hi, I'm Mike. I'm a Technical Writer in the Windows Server Security group. I wrote part of this paper and write topics on cryptography, PKI, and general security.

Host: Mike_Resnick (Microsoft)
Hi My name is Mike Resnick a Technical Lead at Microsoft. I have been with Microsoft for 8 years. I work with the directory services team in Las Colinas, TX (Dallas/Fort Worth) I work troubleshooting account lockout cases as well as active Directory is

Host: Jen (Microsoft)
Hi. I'm Jen Bayer, a Technical Writer on the Windows Server Security team.

Moderator: John (Microsoft)
I'm John Buscher the Server MVP Lead and Moderator today.

Host: John (Microsoft)
My name is John Coates. I'm the lead writer for the Windows Server security documentation team.

Q: Why were password complexities set so...complex...in Windows Server 2003 + AD? It took me at least 10 minutes last night to figure out a password that met the requirements. Also, is there a whitepaper discussing the actual requirements?
A: We decided to make it tighter in windows 20003. Many users were not using complex passwords. this makes it very easy for attackers to guess passwords when they are simple. The account Whitepaper has a section on complex passwords that explains the requirments. IT must be 3 of 4 Upper locase alphabet and number or a Character leaving 94 potential characters for each space in a password.

Q: Should we use ALTools for w2k3 or are the tools OOBT (out-of-the-box)?
A: Yes, you should use ALTools for Windows Server 2003. These tools are not included on the CD. They're designed specifically to troubleshoot account policies.

Q: What’s new in Windows 2003 as far as password or account settings go?
A: I don't believe there are any new password or account lockout settings for WS03. However, you can read all about new security features in Windows Server 2003 at http://go.microsoft.com/fwlink/?LinkId=57073.

Q: What's a security policy?
A: A security policy is one or more settings that are used to configure computers. Security policy specifically is a loose collection of settings used to enforce written security policy,

restrict or allow specific user actions, and so on. The policies for account lockout and password configuration are detailed in the whitepaper.

Q: Why were password complexities set so...complex...in Windows Server 2003 + AD? It took me at least 10 minutes last night to figure out a password that met the requirements. Also, is there a whitepaper discussing the actual requirements
A: The NTLM authication or hashes are not nearly as troublesome as the LMhashes. They were developed a long time ago and they are fairly easy to attack. Usually the most frequently attacked password hash. I recommend getting rid of that if you can. Down level client and some old applications may fail. However it will greatly increase the security of your passwords.

299656 How to Prevent Windows from Storing a LAN Manager Hash of Your Password http://support.microsoft.com/default.aspx?scid=kb;en-us;299656&sd=tech

We are always tightening the security on the ntlm and lm and kerberos.

Q: Passfilt.dll... that is part of the info I was looking for! Now is there any info - whitepapers, etc - on implantation and programming?
A: The Password Complexity section of this paper discusses password filters and links to another doc on MSDN about creating a custom filter.

Q: Any chance of seeing a change to the behavior in the Def. Dom. Policy whereby exceptions to the password policies are permitted using alternative policies?
A: This is a frequent request. We're working to determine the best way to address this need. However, that type of change will not be available in the short-term. We'll still enforce the password policy at the domain level in Windows Server 2003.

Q: Could you please explain or give more details about security police or any URL related.
A: Take a look at the Account Passwords and Policies in Windows Server 2003 White paper.

http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

Also see: Threats and Countermeasures Document: http://www.microsoft.com/downloads/details.aspx?displaylang=en&familyid=1b6acf93-147a-4481-9346-f93a4081eea8

Q: Why is there an option to store passwords in a reversible encryption format? Is there a reason that I might want to do that?
A: See: http://www.microsoft.com/technet/prodtechnol/windowsserver2003/library/serverhelp/EEFF044C-D4A8-4699-A4B8-C5E563118C93.mspx

Long story short, some apps require it.

Q: besides disabling netbios over tcp/ip, what else can be done to get rid of lm/ win9x clients from accessing win2k3 server
A: If you disable the lmhash listed above also use the following setting the following article: 246261 How to Use the RestrictAnonymous Registry Value in Windows 2000 http://support.microsoft.com/default.aspx?scid=kb;en-us;246261&sd=tech

Also you can use the following as well. The policy is configurable via Security Settings\Local Policies\Security Options\Network access: Do not allow anonymous enumeration of SAM accounts. This configures the following registry value: HKLM\System\Current

CurrentControlSet\Control\Lsa\RestrictAnonymousSAM

ll will prevent the 9x clients from connecting. You can also use smbsigning [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanworkstation\parameters]

"enablesecuritysignature"=dword:00000001

"requiresecuritysignature"=dword:00000001

Likewise, for server the settings are as below: Windows Registry Editor Version 5.00 every client and server that needs to communicate with each other will have to have this set on them, and the overhead is roughly a 15 - 20% performance hit because every packet has to be signed, and every packet has to be decrypted.

Q: Why is there a way to lock an account out, but not an IP. The problem is someone brute forcing the account u/p, so you lock the account, but that doesn't really solve anything. Is there hope that in the future you can lockout IP address
A: Excellent question! This is intentionally something we don't do within the operating system. This is because IP addresses can change, be spoofed, etc. There is a wide variety of great third-party hardware and software that does this right now.

For example, BlackIce or other personal firewalls use fuzzy-logic algorithms to identify threatening IP addresses and block it.

However, due to the nature of IP, we can't be 100% sure that a threat comes from a specific IP and so we don't try to block them.

Also IP Security (IPSec) is useful for this type of packet blocking. However, this is not designed to work dynamically to block attackers.

Q: Is it possible to audit logon events where bad password did not increment the BadPWD flag? That is, audit logons where N-2 was invoked.
A: No

Q: What's Ctrl-Alt-Del at start-up really do to protect the system, anyway?
A: This is a holdover from the earliest design days of Windows NT. In those days, there were Trojan-horse attacks that hooked Ctrl+Alt+Del and would infect the system at that point, just before the Ctrl+Alt+Del forced a reboot (based on the BIOS).

Windows NT now intercepts that combination and doesn't pass it to applications. That stops Trojans from hooking that key combination.

Q: So, the programs don't attach to it. How does that help protecting passwords?
A: It doesn't really protect passwords. It’s just a convenient key combination that invokes the logon process and happened to mitigate a threat of the day.

Q: N2Chat: Is it possible to turn N-2 Password History Check off other than setting password history to "0" on DC's?
A: No the only way to get the n-2 behavior turned off is turning off the history. n-2 saves you from troubleshooting lockouts and causing work losage due to being locked out. Ideally your account lockout settings are designed to prevent brute force attacks the user should get access denied on the server they are using where they are using the old passwords.

Q: does anyone know a kb article relating to allowing win9x clients to log on 2000/xp machines without an account set up on the 2000/xp machines?
A: You can do that by using the guest account. Please lock it down to only allow explicit right to items and do not use the everyone group. Since the guest is in the everyone group. Use the auspicated users.

290403 How to Set Security in Windows XP Professional That Is Installed in a Work Group

http://support.microsoft.com/default.aspx?scid=kb;en-us;290403&sd=tech

304040 Description of File Sharing and Permissions in Windows XP

http://support.microsoft.com/default.aspx?scid=kb;en-us;304040&sd=tech

Q: What is the recommended password length and why?
A: This is the $64 question. There is no recommended length. This is dependent on numerous factors. Most often the requirement is based on the security need of your organization. The whitepaper has a fairly long section about making this decision and how to go about it.

That being said, the general rule is: the longer the better, 15 or more is best.

Q: Aren't passphrases still vulnerable to dictionary attacks?
A: Yes. But most commercial password cracking software won't check passwords over 14 characters.

If users use long passphrases, they are less likely to be cracked and easier to remember than traditional strong passwords.

Q: How can I get something like a "weak password" report?
A: There is not a Microsoft-provided tool to do this. We can only force strong passwords; we cannot report on weak ones. So a best practice is to force strong password policy to ensure that no weak passwords can happen. That being said, there are plenty of most excellent third-party tools that can do this. The most widely-known is L0phtcrack. There are plenty of others. Most of them attack the LM hash, so to prevent these tools you can use the earlier mentioned KB article. MBSA does check against a very limited number of weak passwords, but you should not consider it a tool that creates weak password reports.

Q: is the longest password length 128 or 256 char??
A: Well, on some OSes you can only use 14 characters. 128.

Q: Is it more recommended to disable, or rename the Admin account?
A: As are so many answers here, it depends on your security requirements. Because the SID of this account is well-known, renaming it will not defeat some types of attacks. So for the best protection against attacks on your admin account, you should create a new admin account and then disable the built-in one.

As far as fake admin, that's a very common and effective "honeypot" technique. Be very sure you know what you're doing if you decide to do this. not with built-in accounts created during installation. The KB article explains this in more depth. Eventcomb is part of ALTools.exe, which is the tools package that accompanies this whitepaper.

243330 Well Known Security Identifiers in Windows 2000 http://support.microsoft.com/default.aspx?scid=kb;en-us;243330&sd=tech

For further information on this topic please visit the following:

Newsgroups: news://msnews.microsoft.com/microsoft.public.platformsdk.security.

Windows Server Transcripts: Read the archive

Product Families

Resources

About Microsoft

Popular Places

Popular Searches

Popular Downloads

Account Passwords and Policies in Windows Server 2003

Published: August 26, 2003