Jason Kushmaul wrote:
>
> Hello all,
>
> This is not a firewall question but still a security question.
> And please excuse my lacking of knowledge.
>
> Is there a fix for the l0pth crack for NT passwords?
> Did any of the service packs take care of that problem or hasn't anything
> been done about it yet?
NT SP2 comes with a "strong password" filter which helps somewhat. As
usual with NT security, it is not enabled by default and you need to
turn it on. Search the MS Knowledge base (keywords: "strong passwords")
for details of how to do that. Additionally, look at your policy
settings in user manager and raise the minimum password length to 10 or
better, and turn on password aging, etc. There is also a SYSKEY patch
which makes it harder for tools such as l0phtcrack to access the SAM
database--however that does not address the issue of sniffing
"encrypted" passwords off the net. Note that kerberos (as used in
NT5/W2K) will also be vulnerable to a similar attack--so expect to see
l0phtcrack clones for NT5 Kerberos in short order.
We have also developed a password complexity plugin for NT domain
controllers which will be in beta testing shortly. It implements more
sophisticated complexity checks than NT SP2, is specifically designed to
defend against tools such as l0phtcrack, and lets you configure
different complexity requirements for different domain users and groups.
If you would like to be a beta tester, let me know.
Cheers,
Frank O'Dwyer.
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
