Re: RWW Security was compromised.

From: Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] (sbradcpa_at_pacbell.net)
Date: 01/25/05 

Date: Mon, 24 Jan 2005 19:40:09 -0800

At least have a longer than 14 character password.. .I have a slow
computer here and it took a day and 1/2 to crank through a 6 letter
password that had a capital letter, one number and the rest lowercase.
The amount of time each additional letter/number/whatever of a password
is that much longer increase exponentially the amount of "crank" time on
that box.

If your password policy is to change them every 90 days the theory
behind it is that it should take them 90 days to crack them.

Long
spaces
Weird characters
Passphrases

Chapter 17 [if I remember right] of the Protecting your network book by
Steve Riley and Dr. Jesper Johansson that will be coming out.

Our entire world is protected by passwords. 7 characters is a small
password for that Administrator account.

SuperGumby [SBS MVP] wrote:
> Though RWW has this (what I consider) security flaw I prefer its use to VPN.
>
> I've opened a discussion with the other SBS MVPs where I admit to not
> implementing all aspects of 'best practice' in a security context, neither
> for my LoungeAN nor client systems. If anything worthwhile comes from it I'm
> sure it will drift through to the group.
>
> We all agree that changing the admin account and enforcing password change
> and complexity via policy are good principles. I supply consulting services
> to clients. If my clients allowed me to implement these items I would feel
> good, but that's often not the case.
>
> "Therion" <therion@outlook.com> wrote in message
> news:uEHHwsoAFHA.2676@TK2MSFTNGP12.phx.gbl...
>
>>Larry,
>>
>>
>>
>>Not to restate what has already been said, but the single most important
>>part of all this is the renaming of the administrator account. I suspect
>>that had this been done the attacker would have given up long ago. (Only
>>500 attempts, that was fast!) Secondly password strength, especially on
>>privileged accounts. I know it is difficult to get SMB's to adopt good
>>password policies but it must be done if you have services open to the
>>public. If you can't do it globally, then at least use them on privileged
>>accounts.
>>
>>
>>
>>Now, off to the real issue. MS has made a huge mistake. SBS is targeted
>>towards the small business market with the intent of their non-engineer
>>staff deploying and maintaining it. MS has touted how they have adopted
>>this new "tightened security" model out of the box, and yet this comes to
>>surface. Shame on MS! At least they do offer the renaming of the admin
>>account in step for of the best practice help document and include that
>>reference in as the first To-Do, but still they know this will only get
>>done a small percentage of the time.
>>
>>
>>
>>The only solution I can offer is to do what everyone has said for the time
>>being regarding renaming the admin account and keeping good password
>>policies. I also suggest that you remove RWW from the public side of your
>>network and implement VPN for those users that need it. If they actually
>>need the desktop access RWW offers they can use it from there. Bare in
>>mind though that using VPN is a secure method of gaining access to the
>>"entire" network, however it has it's own drawbacks as you need to trust
>>the machines coming in as being virus free etc.
>>
>>
>>
>>Good luck and thanks for sharing your findings as it has helped me make
>>some decisions regarding its use. J
>>
>>
>>
>>~/bin/Therion
>>
>>
>
>
> 

-- 
An open letter to the Security Community::
http://msmvps.com/bradley/archive/2004/12/12/23540.aspx

Relevant Pages

  • Re: best practices: builtin administrator account in AD
    ... I'm the lead hacker in a corporate hacking division for a consulting ... be the same even if the account is renamed (and the SID can be used for many ... characters and make that the password. ... > I understand that renaming the builtin AD administrator account is a good ...
    (microsoft.public.windows.server.security)
  • Re: PING: Former AGDers
    ... She has been a pretty decent D2 player and has some ... Remember, if the wife gets addicted, you can register another account ... what would be the ideal characters for me and her to try to ... if you want to discover the teamplay fast, go build a druid, you'll be ...
    (alt.games.warcraft)
  • Re: Account hacked
    ... Two of his most senior characters, a 70 Druid and a 66 Warrior ... most account hacks to my knowledge involved the person ... to steal an ATM by chaining it to the bumper of their truck. ... off...leaving their bumper with the license plate on it chained to the ...
    (alt.games.warcraft)
  • Re: What is the maximal length of usernames on Solaris?
    ... > characters is limiting to some users. ... >> It is quite common for users to want a shorter login ... can't have a name that's already taken, and nobody has to have meetings ... appeared as part of an account name. ...
    (comp.sys.sun.admin)
  • Re: Tough password question!
    ... w2k/wxp/w2k3 support pwds up to 128 characters ... it will not login when the admin ... >>> account and it will login if I change the domain admin password to ... >>> on a normal user account, or even another domain admin. ...
    (microsoft.public.windows.server.active_directory)