Overlooked Features of Windows Security - Key Area No. 1: Password Strength
(Page 2 of 4 )
Readers should consider Craddock's theme in this paper to be "Are you making the most of what you have?" In most cases the answer is no, which is why these tips will show companies how to benefit from and improve their security with technologies they'vealready purchased in the base Microsoft OS license.
The first key area is password strength because, as unbelievable as it may sound, many organizations have been found guilty of usingveryweak passwords to protectveryimportant information. Simply put, an inadequate password for even an administration account is inexcusable.
Obviously, the problem with weak passwords is that they can be easily guessed. Even if the authentication protocol is usingKerberos, it is possible to capture the Kerberos pre-authentication packet from the network and perform an offline dictionary attack, so strong passwords are a must.
This is why Craddock recommends using a password generator, which can provide a very strong, if not unusual password. Of course the password may be very difficult to remember, but that is why Craddock suggests users think about pass phrases. Users should consider taking something that's recently happened to them, like the purchase of a new car, and turning it into their pass phrase. Take, "I just bought an expensive car," and jazz it up to create the perfect pass phrase: "$$ My Car Cost 10,000 $$".
Key Area No. 2: Administrative Access
Craddock recommends that all administrators abide by the same mantra: never log on to a system with more privileges than needed to do the task in hand. This is the principle of least privilege access. If a user is doing a non-administrative task, they should log on as an ordinary user.
The reason they should do so is because of a Microsoft-introduced User Account Control (UAC) in Vista. UAC prompts the user to elevate their privileges every time the Microsoft OS license or an application requires administrative privileges. If a user logs on as an administrator, their administrative privileges are stripped from their security token. Then, when the user requires administrative access, the UAC dialog pops up.
The frequency with which the UAC pops up has made grown men and women cry, which is why they routinely disable it. Keep in mind that UAC is a good thing and its use should be encouraged. To help push the UAC=good theory along, Microsoft is making a considerable number of changes for Windows 7.
It has been reported that one of the key changes will be the introduction of the UAC Control Panel. The control panel will make it possible to change the behavior of UAC. For example, if a user is logged on as an administrator, UAC can silently elevate when Windows settings are to be changed, but prompt the user when an application requires administrative privileges.
Next: Key Area No. 3: Updates Management >>
More Windows Security Articles
More By Joe Eitel
