RE: is the latest ISA2000 security update a dud?
- From: "Ball, Dan" <DBall@xxxxxxxxxxx>
- To: "[ISAserver.org Discussion List]" <isalist@xxxxxxxxxxxxx>
- Date: Mon, 27 Jun 2005 08:28:36 -0400
The good news is that so far all of the password cracking techniques
I've found on the web only seem to work with "local" accounts, not
domain accounts. So, if the computer is on the domain, the best they
can get is a local administrator password. And if we set those with 15
or more characters, a major portion of the problem is gone.
By no means am I saying it cannot be done, there are always ways to get
through. But the average (beginner) malicious user attempting to bypass
security will have a really hard time figuring it out. The vast
majority of the pages found on the web won't help them.
________________________________
From: Thomas W Shinder [mailto:tshinder@xxxxxxxxxxx]
Sent: Sunday, June 26, 2005 08:23
To: [ISAserver.org Discussion List]
Subject: [isalist] RE: is the latest ISA2000 security update a dud?
http://www.ISAserver.org
Configure the sites for Direct Access and use the Firewall client. IMO,
enabling basic auth is a setup for password harvesting. It only has to
happen once. Heck, I'm getting nervous using NTLM with fewer than 14
char passwords given the current state of Rainbow table tech. IPSec
would remediate the whole situation, but how many companies are
deploying IPSec for domain isolation?
Tom
www.isaserver.org/shinder <http://www.isaserver.org/shinder>
Tom and Deb Shinder's Configuring ISA Server 2004
http://tinyurl.com/3xqb7 <http://tinyurl.com/3xqb7>
MVP -- ISA Firewalls
Other related posts:
