Tip

Protecting your passwords

Everyone knows that there are dozens of tools available for download on the Internet that can be used to crack Window's relatively weak password encryption. Given enough time, tools such as the infamous L0phtcrack will eventually crack any password, no matter how long or complex. But we also know that to use a tool like L0phtcrack, an attacker generally requires access to the account database. This means they either need to break into the Windows server through a network connection to access the file, or they would need physical access to the console (i.e. the keyboard and monitor).

So to protect this file, most administrators spend their days applying patches and various policies and safeguards to prevent unauthorized access via the network, and they use a screen saver password to lock the console. If possible, the server is rack-mounted in a locking cabinet, to prevent someone from walking off with those hot-swap hard disks that are so easy to remove.

However, after going to all this trouble, many administrators make two simple mistakes that leave them very vulnerable. The first is not securing physical access to the backup tapes. Practically anyone with a tape drive can restore from backup to their own hardware and have a complete copy of your server, including the SAM and all your users' files.

More common, but slightly less dangerous, is not securing physical access to the Emergency Repair Disk. These important disks are often left right

    Requires Free Membership to View

next to the server for quick access in the event of a failure, but the disks also contain a copy of the SAM and can be used to brute force your passwords. Once an attacker has the administrator password, it's unlikely that any of your other network safeguards will protect your data.

Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.


This was first published in July 2002

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.