Hi Dan, From what I understand (which could be wrong), they could capture the password hash over the wire, and run it against a Rainbow crack. That's why I've upgraded our password policy to 24+ characters, since we use secure Exchange RPC to connect from places like airports and such. Tom www.isaserver.org/shinder <http://www.isaserver.org/shinder> Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ________________________________ From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] Sent: Monday, June 27, 2005 7:29 AM To: [ISAserver.org Discussion List] Subject: [isalist] RE: is the latest ISA2000 security update a dud? http://www.ISAserver.org The good news is that so far all of the password cracking techniques I've found on the web only seem to work with "local" accounts, not domain accounts. So, if the computer is on the domain, the best they can get is a local administrator password. And if we set those with 15 or more characters, a major portion of the problem is gone. By no means am I saying it cannot be done, there are always ways to get through. But the average (beginner) malicious user attempting to bypass security will have a really hard time figuring it out. The vast majority of the pages found on the web won't help them. ________________________________ From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] Sent: Sunday, June 26, 2005 08:23 To: [ISAserver.org Discussion List] Subject: [isalist] RE: is the latest ISA2000 security update a dud? http://www.ISAserver.org Configure the sites for Direct Access and use the Firewall client. IMO, enabling basic auth is a setup for password harvesting. It only has to happen once. Heck, I'm getting nervous using NTLM with fewer than 14 char passwords given the current state of Rainbow table tech. IPSec would remediate the whole situation, but how many companies are deploying IPSec for domain isolation? Tom www.isaserver.org/shinder <http://www.isaserver.org/shinder> Tom and Deb Shinder's Configuring ISA Server 2004 http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7> MVP -- ISA Firewalls ------------------------------------------------------ List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ ------------------------------------------------------ Other Internet Software Marketing Sites: World of Windows Networking: http://www.windowsnetworking.com Leading Network Software Directory: http://www.serverfiles.com No.1 Exchange Server Resource Site: http://www.msexchange.org Windows Security Resource Site: http://www.windowsecurity.com/ Network Security Library: http://www.secinf.net/ Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com ------------------------------------------------------ You are currently subscribed to this ISAserver.org Discussion List as: tshinder@xxxxxxxxxxxxxxxxxx To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist Report abuse to listadmin@xxxxxxxxxxxxx