RE: is the latest ISA2000 security update a dud?
- From: "Thomas W Shinder" <tshinder@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 27 Jun 2005 07:48:40 -0500
Hi Zvonimir,
For WinXP/Win2k, I'm fairly sure its 128 chars. I don't need to support
downlevel clients, so the 14 char limit isn't an issue.
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: Zvonimir Bilic [mailto:zbilic@xxxxxxxxxxxx]
Sent: Monday, June 27, 2005 7:46 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: is the latest ISA2000 security update a
dud?
http://www.ISAserver.org
Hi Tom,
I think that by default windows has a password limit of 14
characters. How did you configure windows to allow more than 14
characters passwords? Is there any documentation on this?
Thanks,
Zvonimir
----- Original Message -----
From: "Thomas W Shinder"
To: "[ISAserver.org Discussion List]"
Sent: 6/27/2005 8:34AM
Subject: [isalist] RE: is the latest ISA2000 security update a
dud?
http://www.ISAserver.org
Hi Dan,
From what I understand (which could be wrong), they could
capture the password hash over the wire, and run it against a Rainbow
crack. That's why I've upgraded our password policy to 24+ characters,
since we use secure Exchange RPC to connect from places like airports
and such.
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
________________________________
From: Ball, Dan [mailto:DBall@xxxxxxxxxxx]
Sent: Monday, June 27, 2005 7:29 AM
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: is the latest ISA2000 security
update a dud?
http://www.ISAserver.org
The good news is that so far all of the password
cracking techniques I've found on the web only seem to work with "local"
accounts, not domain accounts. So, if the computer is on the domain,
the best they can get is a local administrator password. And if we set
those with 15 or more characters, a major portion of the problem is
gone.
By no means am I saying it cannot be done, there are
always ways to get through. But the average (beginner) malicious user
attempting to bypass security will have a really hard time figuring it
out. The vast majority of the pages found on the web won't help them.
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Sunday, June 26, 2005 08:23
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: is the latest ISA2000 security
update a dud?
http://wwwISAserver.org
Configure the sites for Direct Access and use the
Firewall client. IMO, enabling basic auth is a setup for password
harvesting. It only has to happen once. Heck, I'm getting nervous using
NTLM with fewer than 14 char passwords given the current state of
Rainbow table tech. IPSec would remediate the whole situation, but how
many companies are deploying IPSec for domain isolation?
Tom
www.isaserver.org/shinder
<http://www.isaserver.org/shinder>
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
Other related posts:
