W5.1 Description

1. User ConfiguredPassword Weaknesses
Weaknesses in password configurations have taken on added importance in recent years with the proliferation of worms, bots, and other malware which have improved their ability to propagate themselves through the abuse of inadequate passwords. Enforcement of complex passwords is one of the oldest issues facing IT security administrators but continues to plague enterprises across the globe. These weaknesses can exist at both the Active Directory and the local level, each of which can be exploited effectively both by malware and by inside threats. In addition, with the increase of cross-platform centralized authentication, compromise of Windows credentials can often lead directly to compromise of credentials for other platforms (i.e. UNIX and RACF/ACF2/Top Secret). Even if complex passwords are enforced on the vast majority of accounts on the network, one weak password can lead to a much larger compromise.

2. Service Account Passwords
Non-system Service accounts need passwords in Windows. Unfortunately, it is still very common to use short, printable passwords for these accounts. This is particularly troublesome as they are often used on many machines, have high privileges, and change rarely.

3. Null Log-on
Null credentials have long been an issue in Windows domain environments. Since the inception of the domain architecture with Windows NT, null sessions have allowed anonymous users to enumerate systems, shares, and user accounts. Windows 2000 introduced two levels of control over anonymous access; however, this control was disabled by default. With the inception of Windows 2003, Microsoft has added a number of controls over anonymous access and enabled some restrictions by default. However, legacy systems have forced many environments to continue to support anonymous connections.

W5.2 How to Protect Against Configuration Weaknesses

Weak Passwords:

• Enforce a strict password policy for all users on the domain. This policy should include complexity requirements and password expiration. Consider using a 3rd party tool for managing local account passwords and ensuring that passwords are unique.


• Prevent Windows from storing the LM hash in Active Directory or SAM database by following the instructions posted by Microsoft.


• Implement a policy to periodically test passwords across the enterprise. This testing should include the use of automated tools such as THC Hydra, LophtCrack and John the Ripper to check for blank and simple/common passwords. The testing should be performed on all platforms and should not be limited to AD passwords.

Null Log-on:

• Restrict anonymous access to domain systems. See the "References" section for details regarding the impact of null session restrictions and the settings available in various scenarios.

W5.3 References

The Administrator Accounts Security Planning Guide

Windows Security Guides (1)

Windows Security Guides (2)

How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases

MSRPC NULL sessions - exploitation and protection

Restricting Anonymous Access

Client, service, and program incompatibilities that may occur when you modify security settings and user rights assignments

Microsoft policy on third-party security configuration guidance support