RE: is the latest ISA2000 security update a dud?

• From: "Zvonimir Bilic" <zbilic@xxxxxxxxxxxx>
• To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
• Date: Mon, 27 Jun 2005 08:45:30 -0400

Hi Tom,
I think that by default windows has a password limit of 14 characters. How did 
you configure windows to allow more than 14 characters passwords? Is there any 
documentation on this?
Thanks,
Zvonimir
----- Original Message ----- 
From: "Thomas W Shinder" 
To: "[ISAserver.org Discussion List]" 
Sent: 6/27/2005 8:34AM 
Subject: [isalist] RE: is the latest ISA2000 security update a dud? 


http://www.ISAserver.org

Hi Dan,
From what I understand (which could be wrong), they could capture the password 
hash over the wire, and run it against a Rainbow crack. That's why I've 
upgraded our password policy to 24+ characters, since we use secure Exchange 
RPC to connect from places like airports and such.

Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls





From: Ball, Dan [mailto:DBall@xxxxxxxxxxx] 
Sent: Monday, June 27, 2005 7:29 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: is the latest ISA2000 security update a dud?


http://www.ISAserver.org

The good news is that so far all of the password cracking techniques I?ve found 
on the web only seem to work with ?local? accounts, not domain accounts.  So, 
if the computer is on the domain, the best they can get is a local 
administrator password.  And if we set those with 15 or more characters, a 
major portion of the problem is gone.
 
By no means am I saying it cannot be done, there are always ways to get 
through.  But the average (beginner) malicious user attempting to bypass 
security will have a really hard time figuring it out.  The vast majority of 
the pages found on the web won?t help them.
 



From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx] 
Sent: Sunday, June 26, 2005 08:23
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: is the latest ISA2000 security update a dud?
 
http://www.ISAserver.org
Configure the sites for Direct Access and use the Firewall client. IMO, 
enabling basic auth is a setup for password harvesting. It only has to happen 
once. Heck, I'm getting nervous using NTLM with fewer than 14 char passwords 
given the current state of Rainbow table tech. IPSec would remediate the whole 
situation, but how many companies are deploying IPSec for domain isolation?
Tom
www.isaserver.org/shinder
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7
MVP -- ISA Firewalls
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
tshinder@xxxxxxxxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx 
------------------------------------------------------
List Archives: http://www.webelists.com/cgi/lyris.pl?enter=isalist
ISA Server Newsletter: http://www.isaserver.org/pages/newsletter.asp
ISA Server FAQ: http://www.isaserver.org/pages/larticle.asp?type=FAQ
------------------------------------------------------
Other Internet Software Marketing Sites:
World of Windows Networking: http://www.windowsnetworking.com
Leading Network Software Directory: http://www.serverfiles.com
No.1 Exchange Server Resource Site: http://www.msexchange.org
Windows Security Resource Site: http://www.windowsecurity.com/
Network Security Library: http://www.secinf.net/
Windows 2000/NT Fax Solutions: http://www.ntfaxfaq.com
------------------------------------------------------
You are currently subscribed to this ISAserver.org Discussion List as: 
zbilic@xxxxxxxxxxxx
To unsubscribe visit http://www.webelists.com/cgi/lyris.pl?enter=isalist
Report abuse to listadmin@xxxxxxxxxxxxx

Other related posts:

• » is the latest ISA2000 security update a dud?
• » RE: is the latest ISA2000 security update a dud?
• » RE: is the latest ISA2000 security update a dud?
• » RE: is the latest ISA2000 security update a dud?
• » RE: is the latest ISA2000 security update a dud?
• » RE: is the latest ISA2000 security update a dud?
• » RE: is the latest ISA2000 security update a dud?
• » RE: is the latest ISA2000 security update a dud?
• » RE: is the latest ISA2000 security update a dud?
• » RE: is the latest ISA2000 security update a dud?
• » RE: is the latest ISA2000 security update a dud?
• » RE: is the latest ISA2000 security update a dud?
• » RE: is the latest ISA2000 security update a dud?
• » RE: is the latest ISA2000 security update a dud?
• » RE: is the latest ISA2000 security update a dud?
• » RE: is the latest ISA2000 security update a dud?
• » RE: is the latest ISA2000 security update a dud?
• » RE: is the latest ISA2000 security update a dud?
• » RE: is the latest ISA2000 security update a dud?
• » RE: is the latest ISA2000 security update a dud?

1. Home
2. isalist
3. Archive
4. 06-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---