How many times have you seen someone use a dictionary word as a local Administrator password? If an attacker can gain admin on a workstation using a boot disk, or just copy off the SAM and SYSTEM files from the hard disk, itís trivial to crack dictionary passwords using the tools mentioned before, even if LM hash storage is turned off. Samdump2 and John the Ripper can be run from a single boot CD to perform the crack. Attackers can use tools like Brutus or THC-Hydra from across the network to try to crack accounts, but this much slower then a local attack.
Ensure that password policies do not allow easy-to-guess passwords and that someone is watching the event logs for signs of a brute force attack. Forced password changes for the support staff may be a good idea in some cases, but frequent password changes will cause some staff to write their password down and leave it where someone malicious could find it (a post-it note on the monitor is popular). Also avoid using Social Security Numbers as default passwords. Social Security information goes across too many desks at a university to be considered secure. Even work-study students may have access to databases of Social Security Numbers, and such information regularly makes it to recycle containers unshredded. The same thing goes for other personal information thatís easy to find or guess.
Turn off File Sharing and Unneeded Services
Using a host based firewall like the one built in the Windows XP SP2 or ZoneAlarms can be a good idea, but better yet is not to have possibly vulnerable services running in the first place. Turning off file sharing on computers that do not need it is a must. Many types of attacks can be averted if an attacker does not have access to administrative shares. Those faculty and staff who must use file and printer sharing should be taught how to set proper share permissions. By default, Windows 2000 gives the Everyone group full read and write access to shares, and Windows XP gives just Read to the Everyone group. To give an example of how bad this can be, letís assume a secretary in one of the offices wants to share a database of student names, Social Security Numbers, and addresses with others in the office. She simply right clicks on the folder she wants to share and takes all of the defaults.
Now one of the students is poking around on the network to see what computers are out there and what shares they can get into.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.