Security Policy
Many security "experts" are running around these days mumbling about rainbow tables and telling us how they can crack any Windows password in 2 seconds. "Windows security sucks!" they say. Well, I'm here to tell you that if you take 10 steps to increase password security, would-be intruders can crack all day, but they won't get your Windows logon passwords.
Before you take any action, however, it's a good idea to become familiar with password authentication mechanics and to learn what types of password attacks are in use today. That way, you'll know not only how to protect yourself but also what you're protecting yourself from.
Password Authentication
Although Windows uses many types of authentication credentials (e.g., the Credential Manager cache, trusts, Local Security Authority—LSA—secrets), the 10 tips I provide are specifically for Windows logon passwords. Nevertheless, the lessons learned here often apply to other forms of authentication (e.g., smart cards, biometrics) and other types of authentication credentials.
For users to be authenticated for logon, they must supply their unique network logon identity (i.e., logon name) and password. By supplying a password that only he or she supposedly knows, the user proves ownership of the identity and can request access to protected resources. When a user first sets a password, it's stored in a password credential database. In Windows, there are only two authentication databases: the SAM and Active Directory (AD). The SAM database is used for local logons and for logons to Windows NT domains. The AD database is used for logons to Windows 2000 and later domains.
When the user inputs his or her password, the Windows logon processes (e.g., winlogon.exe, msgina.dll) convert the plaintext password to its password hash equivalent. A good password hash outputs a unique, consistent value for a given password. No two passwords should result in the same output hash. A good password hash also makes converting from the hash back to the original plaintext non-trivial for someone who doesn't know the original password.
Some password hashes, but not Windows', add a random seed value, called a salt, to the hash to ensure that no two passwords produce the same hash. Salting strengthens any password hash and requires additional computations to crack the password, so it's unfortunate that Windows doesn't use a salt.
Windows Password Hashes
The SAM and AD store passwords in their hashed form under the assumption that if the database is compromised, the passwords won't be immediately compromised as well. Fully patched versions of Windows 98 and later OSs are capable of two types of password hashes: LAN Manager (LM) and NT. The LM password hash was invented by IBM and first used by Microsoft more than a decade ago. The LM hash turned out to be a very weak hash algorithm and is easy to compromise. Any skillful password hacker can convert an LM password hash to its plaintext original in seconds.
Microsoft subsequently created the NT hash for NT. Although not uncrackable, the NT hash is significantly more difficult to crack than the LM hash. If a password is sufficiently long and complex (more on that later), a hacker can require days or months to convert the NT hash to its plaintext original. Unfortunately, NT and later versions of Windows by default store both hash values for every password. The simple step of disabling the storage of LM hashes significantly increases your network's password security.
Authentication Protocols
Win2K and later can use four authentication protocols: LAN Manager, NTLM, NTLMv2, and Kerberos. LAN Manager was the original protocol, and if LAN Manager authentication traffic is sniffed off the network, compromising the password is trivial. Microsoft released the NTLM protocol with NT, but that protocol was later found to contain flaws. Microsoft then developed NTLMv2 for Win2K. That version has withstood the test of time and