|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
Password policy enforcement tools was RE: ADSI question
From: Eric Peeters (ml-feb2004
ibarras.com)
Date: Fri Aug 27 2004 - 16:26:15 CDT
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]
Hijacking on this thread (with my apologies), I was wondering whether many admins use
third-party password policy enforcement tools and whether it has led to less password
cracking.
I use one such tool to reach what I think is a reasonable middle ground between the basic
Windows 2000 password settings and complex password requirements, and I find that I need
to crack my users' passwords less often. Since they now have no choice but to comply with
my password policy, password cracking has gone from being an enforcement tool to being a
way of checking that my policy is neither too loose nor too restrictive and fine-tuning
said policy accordingly.
Am I being too confident in a tool in performing less password crackings, or am I not
alone out there ?
Eric Peeters
R. Ibarra's Inc.
-----Original Message-----
From: Bruce K. Marshall [mailto:bkmlatt.net]
Sent: Thursday, August 26, 2004 8:59 AM
To: Paul Aviles
Cc: focus-mssecurityfocus.com
Subject: Re: ADSI question
Paul,
The only ways to measure a password's quality is to either guess them
(online) or crack them (offline). If you exported the LM password hashes you could tell
whether they were shorter than 8 characters, but any other info requires cracking. We've
been providing clients with 'password policy compliance' reports where we crack the
passwords and then compare the findings to their existing or planned policy.
If you do an in-place migration you'll still be stuck with the previous passwords. You
can turn on password complexity, but that won't be enforced until the next password
change.
Scripting can tell you some cool stuff, such as when the user last logged into the domain
and when they last changed their password. But it won't do anything related to password
quality.
----
Bruce K. Marshall - bmarshallsecurityps.com - 913-484-7233 Security Professional
Services, Inc. - Kansas City
----- Original Message -----
From: "Paul Aviles" <pavilesadjoined.com>
To: <focus-mssecurityfocus.com>
Sent: Wednesday, August 25, 2004 11:30 AM
Subject: ADSI question
Is it possible to use ADSI to query user accounts and find if they are using a strong
password? Before using GPO's to enable it, I need to have an audit and show how many
people don't have them. Is this a property of the users?
Also, I believe that when you install AD in a new environment by default it has strong
password enabled. Is that the same when you do an in place migration?
Thanks
Paul
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]