You can implement various operating system security measures to ensure that passwords are protected. Regularly perform these low‐tech and high‐tech password‐cracking tests to make sure that your systems are as secure as possible — perhaps as part of a monthly, quarterly, or biannual audit of local and domain passwords.
The following countermeasures can help prevent password hacks on Windows systems.
Some Windows passwords can be gleaned by simply reading the clear text or crackable ciphertext from the Windows Registry.
Secure your registries by doing the following:
- Allow only administrator access.
- Harden the operating system by using well‐known hardening best practices, such as those from SANS (www.sans.org), NIST (http://csrc.nist.gov) and the Center for Internet Security Benchmarks/Scoring Tools (www.cisecurity.org)
Other countermeasures to secure the Windows operating systems include:
- Keep all SAM database backup copies secure.
- Disable the storage of LM hashes in Windows for passwords that are shorter than 15 characters. For example, you can create and set the NoLMHash registry key to a value of 1 under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControl Set\Control\Lsa.
- Use local or group security policies to help eliminate weak passwords on Windows systems before they’re created.
- Disable null sessions in your Windows version or enable the Windows Firewall.
- In Windows XP and later versions, enable the Do Not Allow Anonymous Enumeration of SAM Accounts and Shares option in the local security policy.
Linux and Unix
The following countermeasures can help prevent password cracks on Linux and UNIX systems:
- Ensure that your system is using shadowed MD5 passwords.
- Help prevent the creation of weak passwords. You can use either the built‐in operating system password filtering (such as cracklib in Linux) or a password‐auditing program (such as npasswd or passwd+).
- Check your /etc/passwd file for duplicate root UID entries. Hackers can exploit such entries to gain backdoor access.
Published on Wed 08 October 2014 by Ben Sanford in Security with tag(s): os security