Chapter 1. Windows Operating System – Password Attacks
Information in This Chapter
Passwords play an important role in information security as well as in other forms of authentication by providing a low-tech solution for protecting resources that should not be readily available to unauthenticated or unauthorized people or services. If we think about the passwords we have and the type of information they protect, the importance of passwords becomes clear. For instance, what if we were able to register usernames for social sites such as Twitter,[A] Facebook,[B] and LinkedIn[C] without using passwords? Without some sort of authentication mechanism anyone would be able to access your account data and change information without your approval. Apply the same thought process to the work environment. What if corporate resources did not require some sort of strong authentication? Think about some of the most important information assets stored in your organization and what the impact could be if casual access was permitted.
Military units around the world still rely on the use of verbal passwords or challenge and response verification to ensure access is granted for those who require and are authorized physical access to secure areas both in the field and in the office environments. For instance, place yourself in the boots of a soldier who is assigned to a guard post during a 4-hour rotation of guard duty. During guard operations, unknown individuals are challenged before being granted access to secured areas. In the field environment, if an unknown individual were to approach a soldier's guard post, the soldier on guard would exclaim, “Halt, Who goes there?” After the unknown individual answers, the soldier would then exclaim, “Advance to be recognized,” followed by “Halt” to stop the unknown individual while still a safe distance away. The soldier would then order the unknown individual to place proper identification on the ground and then back up six paces. The soldier would verify the identification provided and also determine if the individual has the proper authorization before allowing passage. If the identification of the unknown individual is not sufficient, the unknown individual would be held until the commander of the relief could perform additional verification. A commander of the relief is the person in charge of the entire deployment of guards for a period of time and is the ultimate authority for granting access while assigned to that duty.
Although the previous example does not use traditional passwords, we have a better understanding of how the use of an authentication mechanism can help protect access to sensitive areas or information. As with the different types of password and other authentication schemes used in the military, Windows implementation of password security is also designed to grant access to only authenticated users or services.
Windows passwords storage and security is often the last line of defense for protecting information stored locally in computers and for protecting Windows domain access to resources. Unfortunately, in some cases, the use of passwords to protect information is the only line of defense, which can leave organizations with very little security implemented to protect its most important assets.
Before moving directly into the dangers associated with attacks against Windows passwords and a number of attack scenarios, it makes good sense to review how Windows systems store passwords and how policies are used to enhance password security and limit unauthorized access. Learning about the types, storage, and policies used in the Windows implementation of passwords will help provide a solid understanding of how attacks against them are possible.