Best explanation of W2000 security structure, passwords, logins, etc?

[Pollock]

What is the best available explanation of W2000's password security
structure, i.e., how to administer passwords?

Tony Northrup has an article on
http://www.eu.microsoft.com/technet/security/protech/network/firewalls.
But though this seems good, it is frankly not very usable, since it
wouldn't print (diagrams disappear), or save (same problem).
Microsoft newsgroups isn't much help either, it doesn't alert when
there's an answer to a posting. Who remembers to what group they
posted? Clearly, I need some other source of information on W2000
passwords/security.

Any good suggestions? Where I can get a crash-course in the
password/security aspect of W2000?

(I have a home network with a router, and four W2000 computers. To
date, we've got by without passwords or logins. This now seems
unacceptably risky. But without understanding W2000's security
system, I'm loath to assign passwords. I simply don't understand the
system-wide implications, i.e., how it would impact my day-to-day
usage).

 

[Herb Martin]

What is the best available explanation of W2000's password security

structure, i.e., how to administer passwords?

Do you want "Structure" or "How to administer"?

Structure is probably best explained in "Inside Win2000" (MSPress, title
might
be off a little, e.g., "Inside Win2000 Server" and there is an older but
still
relevant "Inside Windows NT".) Perhaps MSDN DevLib too.

Administration is probably best explained in TechNet or by you asking some
specific questions.

My advice: LONG passwords, greater than 14 characters, with COMPLEXITY.
Most important thing is to teach your users to pick them well.
Then try to crack them (with permission and authority of management.)

(I have a home network with a router, and four W2000 computers. To
date, we've got by without passwords or logins. This now seems
unacceptably risky.

That's just silly is you are on the Internet.

But without understanding W2000's security
system, I'm loath to assign passwords. I simply don't understand the
system-wide implications, i.e., how it would impact my day-to-day
usage).

The implications are that anyone who can reach your machine can OWN
IT.

Assign passwords NOW -- make sure you know them (write them down
if you must SINCE you are at home.)

 

[Steven L Umbach]

Passwords are used of course to protect computers and network resources. A home
environment is a bit different than the typical office/etc in that users are probably
all trusted. If you want to assign different passwords to each user, then you will
need to have a user account on each computer that you wan to allow that user to have
access to even if it is network resources unless you enable the guest account which I
do not recommend.

Good password policy is a muti part process that may involve defining how long the
password must be, it's complexity, how long it is good for, and how soon it can be
reused. Another important part is the lockout policy which dictates if an account can
be locked out after a certain number of bad guesses and how long it stays locked out
for. For your situation, a lockout threshold of 10 and a lockout period of 5 minutes
should be plenty good to protect your computers from brute force or dictionary
attacks. Home network users should generally not need to change their password very
often unlike a business environment unless you feel your computers have been
compromised. Enabling auditing of account logon and logon events for success and
failure may be helpful also to see who is using computers and when and if someone is
trying to access an account that they should not be doing.

A properly configured firewall should keep your network safe from hackers trying to
guess your passwords to gain access, especially if you do not have any hole opened in
it for access to any services on your network. You can go to
http://scan.sygatetech.com/ to do a basic vulnerability assessment of your firewall.

The administrator account is of special importance and is the top target for hackers
and even some trojans because of it's power and the fact that it can not be locked
out - at least for interactive logon. It can be locked out for network logon with the
passrop Resource Kit utility. Because of it's special significance, the administrator
account should be renamed and given a complex password, maybe something like Tl8y$g5!
for your home network. An actual domain administrator password would even need to be
much more complex. It is also good practice to avoid logging on with an
administrator account unless you need to use it for some particular reason. But again
for a home user that is not as important [though it is more of a risk if a trojan
shows up] and I am guilty of always using mine. --- Steve

http://tinyurl.com/gt83
http://www.securityfocus.com/infocus/1554/