Re: [ActiveDir] How Secure is a Domain Controller?

[Al Mulnick]

I'd be very interested to see the technical data that backs that up (not you Neil, but the folks from Microsoft that make that claim.)

 

Is it related to people being able to remember a limited number of numbers perhaps?(http://www.youramazingbrain.org.uk/yourmemory/digitspan.htm ) Or is there some other empirical data that says that passwords with greater than 7 characters is likely to be repeated?

 

Or could it be that somebody at MS is sore that NTLM had to be upgraded to beyond two 7 char strings? ;)

 

Seriously, I see nothing like that here http://www.indevis.de/dokumente/gartner_passwords_breakpoint.pdf or here http://www.passwordresearch.com/stats/statindex.html

 

I think that's a load of bologna to make a suggestion to keep passwords to less than 7 characters.  If anything, there's no reason not to make them longer as the more characters that have to be guessed, the harder it becomes to brute-force hack them (assuming that passwords are not stored as two 7 char strings, right?)  That allows the system to be even more useful because you can then extend the attempts prior to lockout making the system more useful to the end user.

In the end, there are some assertions that passwords by themselves are coming to the end of their useful life. Hmm.. Maybe. But I think coupled with good lockout policies, strong passwords mean we can mitigate the risks for most situations.  Not forever of course.

 

I'd love to see some of that data that shows that users repeat after 7 characters if anyone has it. 

 

Al 

 

 

 

Just for fun:

http://plus.maths.org/issue31/features/eastaway/index-gifd.html
 

On 3/6/06, [EMAIL PROTECTED] <[EMAIL PROTECTED] > wrote:

The use of >20 char passwords caught my eye.

 

In previous discussions with MS et al, it was suggested that the majority of users would simply repeat a (at most ( 7 char password n times, so as to meet the 20+ char pw policy requirement.

 

As a result, I have heard it suggested that in reality (not theory) a pw policy of more than 7 chars is actually counter productive. [Any pw policy with a multiple of 7 chars being most counter productive.]

 

Food for thought,

neil

---

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Ulf B. Simon-Weidner

Sent: 05 March 2006 08:35

To: ActiveDir@mail.activedir.org

Subject: RE: [ActiveDir] How Secure is a Domain Controller?

 

I've written down some related thoughts once:

http://msmvps.com/blogs/ulfbsimonweidner/archive/2004/10/24/16568.aspx

Gruesse - Sincerely,

Ulf B. Simon-Weidner

  MVP-Book "Windows XP - Die Expertentipps": http://tinyurl.com/44zcz
  Weblog: http://msmvps.org/UlfBSimonWeidner
  Website: http://www.windowsserverfaq.org
  Profile:    http://mvp.support.microsoft.com/profile="">   

 

---

From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Edwin

Sent: Sunday, March 05, 2006 4:17 AM

To: ActiveDir@mail.activedir.org
Subject: [ActiveDir] How Secure is a Domain Controller?

 

How Secure is a Domain Controller that is fully patched on a default install of Windows 2003?  When promoted the domain controller has the two default policies, both of which are recommended not to be modified.  But there are things that could be done better for added security.  For example, NTLMv2 refuse NTLM and LM.  Is it common practice to add additional GPO's to the DC OU?  Or is DC protected enough to where all that is needed to worry about are the member machines?

 

If adding additional GPO's to the DC OU, is there anything that should definitely be avoided?

 

Edwin

PLEASE READ: The information contained in this email is confidential and

intended for the named recipient(s) only. If you are not an intended

recipient of this email please notify the sender immediately and delete your

copy from your system. You must not copy, distribute or take any further

action in reliance on it. Email is not a secure method of communication and

Nomura International plc ('NIplc') will not, to the extent permitted by law,

accept responsibility or liability for (a) the accuracy or completeness of,

or (b) the presence of any virus, worm or similar malicious or disabling

code in, this message or any attachment(s) to it. If verification of this

email is sought then please request a hard copy. Unless otherwise stated

this email: (1) is not, and should not be treated or relied upon as,

investment research; (2) contains views or opinions that are solely those of

the author and do not necessarily represent those of NIplc; (3) is intended

for informational purposes only and is not a recommendation, solicitation or

offer to buy or sell securities or related financial instruments. NIplc

does not provide investment services to private customers. Authorised and

regulated by the Financial Services Authority. Registered in England

no. 1550505 VAT No. 447 2492 35. Registered Office: 1 St Martin's-le-Grand,

London, EC1A 4NP. A member of the Nomura group of companies.