From: Thor (Hammer of God) (thor@hammerofgod.com)
Date: Fri Sep 30 2005 - 01:06:12 EDT
Let's break this down a bit--
I didn't pick up on the fact that you were concerned with laptop security--
when you discussed SYSKEY'ing the SAM, I assumed a member/stand-alone SAM.
But you can certainly SYSKEY the SAM of an XP box as well...
Regarding laptop security, you're in the same boat as the rest of us. It's
tough business to secure resident data and keep the box patched while making
access easy enough for the user to get their jobs done without compromising
security. My gut feeling is that it is so difficult that the majority of
corporate laptop deployments are seriously lacking in security, and that the
laptop represents one of the highest levels of threat and exposure to an
organization. So let's chew on this one...
First off, SYSKEY'ing the SAM of an XP lappy does not encrypt the cached
pwd's in the LSA. It just changes the encryption level of the SAM accounts
db itself. This is where the number of cached logons stored in the LSA
comes in... If you are authenticating to the local account base on the box,
you can set this to 0 without worry (because it does not come into play).
However, if you are authenticating to a domain, (which I have to assume you
are doing since cached logons are a concern) setting cached logons to 0 will
require a connection to a DC just to log on to the box-- something I don't
see many people do on remote laptops using domain accounts. That being
said, most deployments of EFS that I have seen, particularly in laptops, are
based on domain accounts. The main reason being the fact that
authentication is off-box, thus reducing the risk of local accounts
compromising EFS encrypted files. You also can use the domain-based
recovery certificate to access files should you have to take a user out back
and shoot them. Hey, these things happen in the south.
So, I would opine that using SYSKEY to secure local accounts on a laptop
using EFS is a bit bulky, and that the associated administrative overhead to
make it all work well is counter-productive... Of course, if any on the list
are doing this with appreciable levels of success, please let us know what
we are missing (what I'm missing, anyway.)
Regarding passwords, just use pass phrases. This whole thread really got
skewed in regard to that, I think. For one, a password with a whitespace in
it is obviously more secure than one without, simply because it increases
the keyspace. It doesn't matter what Cain and Able, or Adam and Eve for
that matter, can do with it-- increased keyspace == increased overhead to
crack. It's simple math. You'll hear all manner of war stories of people
cracking this, cracking that, using rainbow tables here, LM cracks there,
and a bag of Skittles on the other side. But most of that can be obviated by
having simple, but long, pass phrases. Since Win2k, you've had the choice
of using 1298 character passwords/phrases. Even if you catch an NTLM auth on
the wire, a passphrase like "i have no farking idea what my password is."
will take an eon to crack, even though it is all lower-case alpha with a
period thrown in-- same with a SAM. Besides, if someone has camped out on
your box and grabbed the SAM, you've got Bigger Problems (tm) anyway.
In addition to easy pass phrases, I think a far more workable and viable
solution for laptop data is the use of something like a PGP partition to
store data. It's easy for the user, easy for the admin, and adds real-world
security to remote data deployments...
t
----- Original Message -----
From: "Dufresne, Pierre" <PIERRE.DUFRESNE@MESS.GOUV.QC.CA>
To: <pen-test@securityfocus.com>
Sent: Thursday, September 29, 2005 6:19 AM
Subject: RE: Password "security" - was"Passwords with Lan Manager (LM) under
Windows" and "Whitespace in passwords"
> Thanks for the advice,
>
> I am focusing on stolen laptops. With the password-on-boot SYSKEY feature
> I
> was hoping to protect the cache entries stored on those machines.
> The thing is, I was planning to make EFS available for the laptops (XP
> sp1).
> The problem is, if the attacker can crack the passwords (after dumping the
> cache entries with CacheDump), he gets access to the EFS files.
> That's why this password security thread had me worry.
> Thanks
>
> P.
------------------------------------------------------------------------------
Audit your website security with Acunetix Web Vulnerability Scanner:
Hackers are concentrating their efforts on attacking applications on your
website. Up to 75% of cyber attacks are launched on shopping carts, forms,
login pages, dynamic content etc. Firewalls, SSL and locked-down servers are
futile against web application hacking. Check your website for vulnerabilities
to SQL injection, Cross site scripting and other web attacks before hackers do!
Download Trial at:
http://www.securityfocus.com/sponsor/pen-test_050831
-------------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:55:01 EDT