Improper security of user accounts is one of the main means to attack and intrude into the system. In fact, careful account administrators can avoid many potential problems, such as choosing strong passwords and effective policies to enhance the habit of notifying users and assigning appropriate permissions. All these requirements must comply with the security structure standards. The complexity of the implementation of the entire process requires multiple users to complete the process together, and it is not necessary to bother all these users to maintain a small intrusion.
In the overall security policy, the security of the local account is very important. In this lesson, we will explore different methods to protect the security of local accounts.
Key points of this chapter:
· Describe the relationship between account security and password
· Implement secure account Technology in Windows NT and UNIX systems
· Steps for implementing password policies under NT
· Describe the UNIX Password Security and Password File Format
· Analyzes security threats in UNIX, and denies account access and monitors accounts
Password importance
Password is the core of UNIX and Windows NT Security. If the password is compromised, the basic security mechanism and mode will be severely affected. To select a strong password, you need to set more options in the account policy. You also need to help users select strong passwords.
For a strong password, there must be three of the following four aspects:
· Uppercase letters
· Lowercase letters
· Number
· Non-alphanumeric characters, such as punctuation marks
Strong passwords must comply with the following rules:
· Do not use common names or nicknames
· Do not use ordinary personal information, such as the birthday date
· The password does not contain duplicate letters or numbers
· Use at least eight characters
From the perspective of hackers, it is easy to guess or discover passwords (for example, do not write a piece of paper into a drawer ).
Password security under NT
To force a strong password in NT, you can change the LSA value in the registry, called passfilt. dll, which can be found in Service Pack2 and later versions of Windows NT. Add the Notification Packages string under the LSA key value and add the value passfilt. dll. This string value must be added to all domain controllers of the company. At the same time, you also use the passprop.exe program to make passfilt. dll take effect.
Password Security in UNIX
In UNIX, the encrypted password information is stored in a file, usually/etc/passwd. Maintaining the security of this file is very important. In UNIX systems, its owner is an account with the highest permissions, that is, root. UNIX basically has two types of users: common users and system privileged users. Sometimes privileged users are not exactly called superusers. In fact, the identification number of a Super User Account is zero. When an account is created, it is assigned a unique ID number (UID ). This number is allocated from 0, and the lowest number (that is, the highest permission) is assigned to the login account root. Root can execute any program, open any directory, check any files, and change the attributes and other functions of any objects in the system. Any hacker who attacks UNIX systems will eventually obtain the Root account.
Root is in charge of the/etc/passwd file. This file can be read by all login users. It contains the authentication information of each user. Therefore, on a simple UNIX system, anyone can copy the content of this file and analyze which field contains the encrypted password. Then, use a series of attempts with different passwords to compare with the strings encrypted by/etc/passwd. Therefore, password selection is the most important security level for UNIX systems.
Windows NT account Security
First, it is also the most difficult task to ensure that only necessary accounts are used and each account has only the minimum permissions to complete their work. In a large company, one or more user domains are usually used to centrally manage all user accounts. The domain is a centralized account database that can be distributed across the company. Therefore, experienced administrators try to put users in fewer domains for ease of management. Such restrictions usually promote the adhesion of company policies. Create local resources and manage permissions for the Local Group. Machines with local resources must be configured as trusted centralized account domains. But sometimes this setting is not feasible, because there is not enough bandwidth between the remote site.
There are several technologies that can solve account security issues. One of the main concerns is to ensure that no new account is created or the existing account permissions are not modified. Another simple method is to use the net user and net group commands to direct information to a style file for comparison. You can easily find problems by running these commands regularly and comparing the account list in the output text file. Some built-in tools, such as the System Task Schedule Program, can be automatically executed. You can also use other external tools such as Perl or diff to automatically compare the standard list with the current settings.
Account rename
Another reliable method is to rename the default account. Including administrator, guest, and other accounts automatically created when installing software (such as IIS. These accounts must be well protected because they are vulnerable to attacks. However, simply renaming accounts cannot hide them. Because Windows NT must know which account is an administrator account, and the current name of the Administrator account is saved in the registry.
Account Policy
To keep the user database intact, you must force the user to develop a good habit of effectively preventing hackers from using brute force cracking methods in account settings. These tasks are mainly set through the account policy on Windows NT. Account Policy settings are implemented through the domain user manager. Select User Permissions from the policy menu. The first is the password's validity period, and the second is the password length limit, and account locking.
Implement strong passwords
In most cases, it is not enough to develop the habit of using passwords. You also need to use stronger passwords to effectively prevent dictionary-like attacks and brute-force cracking attacks. As we have discussed earlier, a strong password must contain at least six characters, not any part of the user name, and contain at least uppercase and lowercase letters, numbers, and wildcards. To implement strong passwords, you need to add the LSA entry in the Registry to other password filters that have been mentioned in this lesson. On the master domain controller or any backup domain controller that may upgrade to the master domain controller, you must add a PASSFILT string to the Registry HKLMSystemCurrentControlSetControlLSA.
Windows2000 account Vulnerabilities
After windows is started, press ALT + CTRL + DEL as prompted on the screen to log on, move the cursor to the user name input box on the logon page, and press Ctrl + Shift on the keyboard to switch the input method, the input method status bar appears on the screen. In the displayed "All-in-One" input method, move the mouse to the input method status bar and right-click it. In the displayed menu, select "help ", next, select "entry to input method". Several buttons will appear at the top of the window. The details are displayed on the "option button. If Windows ServicePack1 or IE5.5 is not installed in the system, left-click the Option Button and select "Homepage" in the displayed menu ", in this case, the "this page cannot be displayed" page appears on the right side of the displayed Help Window on the IE browser interface, with a link to "Detect Network Settings, click it to display the network settings option, so that anyone can make any changes to the network settings or even the control panel.
You can also choose "Internet Options" from the menu to modify the home page, links, security, and advanced options. The most serious problem is that right-click a menu and select "Jump to URL". A dialog box is displayed, there is a jump to the URL input box and enter the path you want to see, such as c:. Then, the page of Resource Manager c disk appears on the right side of the displayed Help window, the system administrator has the permission to operate the C drive. The operator can perform any operation on the data he sees, so that he completely bypasses the login authentication mechanism of Windows2000.
If the system is installed with Windows2000 ServicePack1 or IE5.5, the "Network Setting options" used above cannot be executed, but the "Internet Options" can still be executed. The Resource Manager interface still appears. You can enter the path to view all the files in the folder and the files in the root directory, but you cannot directly operate on the folder and files, however, you can also right-click a folder and select a file to delete, rename, or send it to a floppy disk. More seriously, the operator can share the folder, in the dialog box that appears for a single file, select Properties to add any shared permissions, such as permissions that can be fully controlled by anyone, in this way, everyone on the network can remotely log on to the network to fully control all data!
UNIX account Security
To discuss the security of UNIX accounts, you must first understand the security of UNIX passwords. For this understanding, you need to check the format of the password file. You can use the following command to obtain the format of several special passwords.
$ Man 5 password
The password file contains several fields, which are explained in detail in Table 2-1.
Field Usage
Login Name
The real name used when the user logs in
Encrypted password
In UNIX, passwords are encrypted and saved using strong DES algorithms.
UID
Unique User ID
GID
User Group ID
User Name
Real User Name
HOME
Default home directory
SHELL
Default program SHELL Interface
The password file is encrypted when it is displayed. This display is called the Shadow password, which is usually created in/etc/shadow and belongs to the root account and is only accessible by the root account.
Password Validity Period
According to the current situation, more powerful hardware has greatly reduced the time to guess the password using automatically running programs. Therefore, the other way to prevent password attacks in UNIX systems is to change the password frequently. In many cases, the user does not change the password. Therefore, a mechanism is required to force regular password changes. This technology is called password validity and is effective on many UNIX systems.
Password validity period: LINUX
In LINUX, the password's validity period is managed by the chage command.
Parameter meaning
-The minimum number of days that the m password can be changed. If it is zero, the password can be changed at any time.
-Maximum number of days for M Password Change
-W: the number of days before the user's password expires to receive the warning message in advance.
-E account expiration date. After this day, this account will be unavailable.
-D date of the last change
-I. If a password has expired for these days, this account will not be available.
-L indicates the current settings. It is up to non-authorized users to determine when their passwords or accounts expire.
For example
% Chage? M 2? M 30? W 5 steven
This command requires that user steven cannot change the password within two days, and the maximum password retention period is 30 days, and will be notified five days before the password expires.
Note