You can implement various operating system security measures to ensure that passwords are protected.
Windows
The following countermeasures can help prevent password hacks on Windows systems:
- Some Windows passwords can be gleaned by simply reading the cleartext or crackable ciphertext from the Windows Registry. Secure your registries by doing the following:
- Allow only administrator access.
- Harden the operating system by using well-known hardening best practices, such as those from SANS ( www.sans.org ), NIST ( http://csrc.nist.gov ), the Center for Internet Security Benchmarks/Scoring Tools ( www.cisecurity.org ), and the ones outlined in Network Security For Dummies by Chey Cobb.
- Keep all SAM database backup copies secure.
- Disable the storage of LM hashes in Windows for passwords that are shorter than 15 characters.
For example, you can create and set the NoLMHash registry key to a value of 1
under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa. - Use local or group security policies to help eliminate weak passwords on Windows systems before they’re created.
- Disable null sessions in your Windows version or enable the Windows Firewall.
- In Windows XP and later versions, enable the Do Not Allow Anonymous Enumeration of SAM Accounts and Shares option in the local security policy.
Linux and UNIX
The following countermeasures can help prevent password cracks on Linux and UNIX systems:
- Ensure that your system is using shadowed MD5 passwords.
- Help prevent the creation of weak passwords. You can use either the built-in operating system password filtering (such as cracklib in Linux) or a password-auditing program (such as npasswd or passwd+).
- Check your /etc/passwd file for duplicate root UID entries. Hackers can exploit such entries to gain backdoor access.
