This tip will be the first of a series of articles on Windows security strategies. Make sure to check back each week for new Windows "how-to" advice.
TABLE OF CONTENTS
Windows password security: Systems tools and policy
Securing Windows services to prevent hacker attacks
How to prevent SQL Server and Internet Explorer hack attacks
How to detect and remove rootkits with Windows encryption
Windows security: Remote Desktop, hosts file and keyboard lock down
Back in part one of this series about Windows security strategy, we said that you should never, never leave a Windows password entry blank and always, always make it a strong one. That was good advice, and is worth repeating.
The importance of strong passwords is so often overlooked that it makes security professionals despair. Do not let your organisation fall into the trap of valuing simplicity over security.
Windows tools and password security policy
Windows comes complete with tools to ensure that all users are forced to remember the importance of strong Windows passwords, and can actually prevent them from using anything but. The local security policy applet enables password policy options that require all passwords to meet complexity requirements. The relevant option in this case, oddly enough, is called 'Password must meet complexity requirements' and can be found in Windows 2000, Vista and Server 2008.
By meeting complexity requirements, it demands that all Windows passwords must be at least six characters long and include at least three uppercase, lowercase, numerals and non-alphanumerics amongst them. The same policy applet allows an account-lockout threshold to prevent automated dictionary attacks or thwart persistent guessers, who might get lucky eventually. Set this low; a maximum threshold of four should be plenty to allow for drunken users and typos. While you are at it, set a maximum password age of no more than 30 days and make the minimum character count eight for good measure.
How to create Windows password security
Although everyone has, it seems, their own preferred method for creating 'strong' passwords, some work better in practice than others. There remains, however, a basic set of dos and don'ts that should always be applied:
- Do not use dictionary words (English language or foreign) or proper nouns for that matter. Password cracking tools will break those apart quickly indeed.
- Do not use backwards words, the password crackers have already thought of reversing dictionaries.
- Do not use personal data such as family names, important dates, telephone numbers and so on. They really are too simple to guess for even the novice social engineer.
- Do think longer and wider. In other words, use more characters and more non-alphanumeric characters.
- Do think about depth, such as the use of mnemonics, to remember a complex password without writing it down.
Security by least privilege
If a password does get cracked, mimimise the risk by always ensuring that account authorisation is done on a 'least privilege' basis. Hackers love to get access to any account on a Windows machine or network because all too often this means they can escalate upwards through increasingly more privileged accounts and gain even more control.
To thwart the risk, restrict interactive login privileges, restrict access to critical system binaries (cmd.exe springs to mind here) for damage limitation, and restrict system booting to 'from hard disk only' to prevent physical privilege escalation. Windows XP SP2 users can add a Windows Registry key to access more powerful software restriction policies with levels including 'restricted' and 'untrusted.' Obviously all Windows Registry hacking is done entirely at your own risk, and backups are essential, but the key to add to HKLM\SOFTWARE\Policies\Microsoft\Windows\Safer\CodeIdentifiers is:
About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.
This was first published in October 2008