Really... brute forcing over the network makes as much sense as baking your
cake with a lighter. Did you ever think about how many possible combination you
have if your password is somewhere around 13 chars long and contains char's,
numbers, and special chars?
C'mon ... if you want to talk off-topic stuff here about NT then at least
correct statements.
You can NOT disable the built-in administrator account. You certainly can
rename it though. Maybe you should just get familar with the NT security
concept and it's implementation. Also VMS has and had it's security issues...
and well... I don't think it would be very cool if the system account was
locked out... specially as you can't set a password for it in NT... hmmmm... I
guess resetting an account that has no password is pretty complicated.
Maybe you didn't observed that NT will wait for some seconds if you typed in
your password repetedly wrong (after 3 times in my case). If there are
10'000'000 possible passwords... and NT would let's say wait for 10 seconds
after every third authentication ... that would result in quiet some time that
the brute forcing would take... and to be honest... I'm too lazzy to type in 50
passwords even if I know that one of them is the right one.
Brute forcing over the network requires even higher efforts and the chances are
far smaller if you set your servers up accordingly to the MS security
guidelines (disable Lanman stuff, setting permissions on registry keys and all
the other fun...)
NT is fine and dany... but obviously not the best platform for all computing
needs... but I agree to a certain part with some of the voices out there that
stated that the Admin's skills count more than the OS itself...
Cheers
Boris Pavalec [QPB]
Network / System Engineer [MCSE]
Highend Computing Systems
Switzerland - Zuerich
http://www.nt-admin.net
[EMAIL PROTECTED]
-----Original Message-----
From: steele.b [mailto:[EMAIL PROTECTED]]
Sent: Samstag, 12. Juni 1999 00:59
To: firewalls
Cc: steele.b
Subject: UNAUTHENTICATED: Re: RE: Why not NT?
>This is not a security bug... this is by design... else an attacker could
>simply go through every account and type in 4 or 6 wrong passwords and you
>probably wouldn't be able to log on to your NT systems even if you had the
>right password.
IMO, this is one thing that I DON'T like about NT. You're basically
substituting one security problem for another. By NOT allowing the
Administrator account to be locked out, an NT box is open to a brute-force
password attack against that account. Of course many admins get around this
problem by simply disabling the Administrator account and using another
account for administration tasks.
VMS tackles this problem quite cleverly, I think. Not only does it lock out
accounts (including the SYSTEM account - except if the logon is taking place
on the operator console), but it will lock out the remote device if many
invalid login attempts start to originate from that device.
Brian Steele
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
WINMAIL.DAT
