How to "hide" the server password

Comments: Recently, I was invited to a company for network penetration. The company's network is a small Active Directory built by windows2003 server and XP system, one of which is connected to the Intranet database, remote terminals are enabled on all servers. After penetration testing, I found some serious common security problems. The most important one is password security management. Recently, I was invited to a company to perform network penetration, the company's network is a small Active Directory built by the windows2003 server and the XP system. One of the servers is connected to the Intranet database, and all servers are open to remote terminals. After penetration testing, I found some serious common security problems, the most important of which is the password security management problem. When testing the WEB, the SQL injection vulnerability occurs, and the password for connecting to the database is obtained. However, the database machine may be deliberately placed in the DMZ area, so it cannot access the Internet. I found the password of the WEB administrator on the WEB site, but found that the password of the connected database is obviously the same as that obtained just now. The password of the WEB administrator is web @ 123456 (123456 represents the name of a friend company), and the password for connecting to the database is SQL @ 123456. After discovering this common point, based on experience, I was lucky enough to log on to the terminal and enter the password webserver @ 123456. In this way, the administrator privilege of the WEB server is obtained. In the subsequent Penetration Process, when I tested the mail server, I directly entered mailserver @ 123456, which turned out to be successful. With such a "formula", the next test will be much easier, and the server will re-combine the password based on the situation, so that the remaining servers will be easily taken down. Finally, on one of the servers, the author accidentally "obtained" an XSL document that records the passwords of all servers. The XLS document password also includes the domain name password. My previous experience shows that this situation is very common. If the reader is a network administrator, you can recall whether there is such a similar problem in the enterprise where the reader is located or on the managed server. But it is precisely because of this password defect that brings disaster to the Enterprise Server or intranet. Password security has always been a challenge. In fact, in this case, every enterprise can manage its own password more effectively. The following is a suggestion from the author on password management to the administrator of a friend's company, and a reminder to the majority of network administrators: 1. Security and complex passwords must be set for all servers. 2. Regular password changes mainly prevent old passwords from being reused by hackers. 3. The new password must be replaced. When there is no association between the old password and the old password, do not change it directly from the old password, especially the one-letter change approach. When the Administrator changes the password, assume that the current password has been cracked. It is easy to guess the password changes such as webserver1 @ 123456, web1 @ 123456, and mailserver1 @ 123456. 4. Do not use common words or weak passwords such as password and qwer1234. Such passwords are absolutely unavailable. 5. Use a regular password. In this test, I entered the server following the password rules of my friend's company. Therefore, you cannot use a regular password when generating a password. 6. password files must be encrypted. The following is Microsoft's official "determining password policy-related settings" • "force password history" to determine the number of new passwords that are different from each other. Before you re-use the old password, the user must have used so many passwords. The value range is between 0 and 24. If the value is set to 0, the password history is disabled. For most organizations, set this value to 24 passwords. • The "Maximum Password Validity Period" determines the number of days a user can use the password before requiring the user to change the password. The value is between 0 and 999. If the value is set to 0, the password never expires. Setting a value too low may cause inconvenience to users. Setting a value too high or disabling may give potential attackers more time to crack the password. For most organizations, set this value to 42 days. • "Minimum Password Use Period" determines the number of days before a user can change the new password. This setting is designed to be used with the "force password history" setting, so that the user cannot reset the required password quickly and change it back to the old password. The value can be between 0 and 999. If it is set to 0, you can change the new password immediately. We recommend that you set this value to 2 days. • "Minimum Password Length" determines the minimum number of characters a password can contain. Although Windows 2000, Windows XP, and Windows Server 2003 support up to 127 characters of passwords, the setting value must be between 0 and 14 characters. If it is set to 0, the user is allowed to use a blank password, so you should not use a value of 0. We recommend that you set this value to 8 characters. • "The Password Must Meet the complexity requirement" to determine whether to enhance the complexity of the password. If this setting is enabled, the User Password meets the following requirements: • The password must contain at least 6 characters. • The password must contain at least three of the following five types of characters: • uppercase English letters (A-Z) • lowercase English letters (a-z) • 10 Base numbers (0-9) • non-letter numbers (for example :!, $, #, Or %) • Unicode characters • the password cannot contain three or more characters from the user's account name. If the account name is less than 3 characters long, this check will not be executed because the password is highly likely to be rejected. When checking the user's full name, several characters are considered as delimiters, which separate names into separate tags. These delimiters are: comma, period, dashes/hyphens, underscores, spaces, pound characters, and tabs. For each tag, if it contains 3 or more characters, you can search for the tag in the password. If it exists, you cannot change the password. For example, the name "Erin M. Hagens" is divided into three tags: "Erin", "M", and "Hagens ". Because the second mark has only one character, it is ignored. Therefore, the password cannot contain "erin" or "hagens" substrings anywhere. All these checks are case sensitive.