RE: is the latest ISA2000 security update a dud?
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 27 Jun 2005 07:34:25 -0500
Hi Dan,
From what I understand (which could be wrong), they could capture the
password hash over the wire, and run it against a Rainbow crack. That's
why I've upgraded our password policy to 24+ characters, since we use
secure Exchange RPC to connect from places like airports and such.
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Monday, June 27, 2005 7:29 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: is the latest ISA2000 security update a
dud?
http://www.ISAserver.org
The good news is that so far all of the password cracking
techniques I've found on the web only seem to work with "local"
accounts, not domain accounts. So, if the computer is on the domain,
the best they can get is a local administrator password. And if we set
those with 15 or more characters, a major portion of the problem is
gone.
By no means am I saying it cannot be done, there are always ways
to get through. But the average (beginner) malicious user attempting to
bypass security will have a really hard time figuring it out. The vast
majority of the pages found on the web won't help them.
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Sunday, June 26, 2005 08:23
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: is the latest ISA2000 security update a
dud?
http://www.ISAserver.org
Configure the sites for Direct Access and use the Firewall
client. IMO, enabling basic auth is a setup for password harvesting. It
only has to happen once. Heck, I'm getting nervous using NTLM with fewer
than 14 char passwords given the current state of Rainbow table tech.
IPSec would remediate the whole situation, but how many companies are
deploying IPSec for domain isolation?
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
------------------------------------------------------
List Archives:
http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter:
http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ:
http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion
List as: tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit
http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx
Other related posts:
