From: crazy frog crazy frog (i.m.crazy.frog@gmail.com)
Date: Tue Mar 20 2007 - 08:55:22 EST
Hi,
there is one GUIDE from microsoft.it can be downloaded from here:
www.microsoft.com/downloads/details.aspx?FamilyId=8A2643C1-0685-4D89-B655-521EA6C7B4DB
HTH
On 3/19/07, Salvador.Manaois@infineon.com <Salvador.Manaois@infineon.com> wrote:
> If your main goal is to gauge the "strength" of your organization's
> password policy and _not_ how to break into the win2003 server, then you
> should try to dump a copy of the SAM file onto a password-cracker.
> Remotely checking the password strength may require you to try
> brute-forcing a session to the server (but then again, if the invalid
> login threshold setting and the account lockout policy are defined, you
> may find this exercise frustratingly time-consuming). =)
>
> ...badz...
> Salvador Manaois III
>
> -----Original Message-----
> From: listbounce@securityfocus.com [mailto:listbounce@securityfocus.com]
> On Behalf Of Chris Parker
> Sent: Saturday, March 17, 2007 7:16 AM
> To: pen-test@securityfocus.com
> Subject: Re: windows 2003 server
>
> Nicolas RUFF wrote:
> >> I have a win2003 server that I have been asked to test its password
> >> policy. I am new to this and was wondering what would be the best
> >> approach to gain access? It is in my local network and will be
> >> segregated from the rest of the network for testing. I would be
> >> using a remote machine to log in and not locally. What would be your
> suggestions?
> >
> > Password policy can be found in Administrative Tools/[Local | Domain]
> > Security Policy.
> >
> > What do you mean by "testing password policy" ?
> >
> > Why do you need to gain access ? You'd better ask for an
> > administrative account and dump the SAM file into a password cracker
> (like LCP).
> >
> > Given the default security policy of W2003 (anonymous account
> > enumeration blocked, password length over 7 and mixed characters
> > required), your chances to break in remotely without any additional
> > information are near zero.
> >
> > Regards,
> > - Nicolas RUFF
> >
> First, we are trying to lock down our servers. I came into this after
> they had these server up for a few years, so you can see my work is cut
> out for me. I just wanted the best ways to test to make sure most users
> cannot get where they are not suppose to be. Current password policy is
> 8 characters, upper lower number.
>
> thanks
> Chris Parker
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=7016
> 00000008bOW
> ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> This List Sponsored by: Cenzic
>
> Need to secure your web apps?
> Cenzic Hailstorm finds vulnerabilities fast.
> Click the link to buy it, try it or download Hailstorm for FREE.
>
> http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW
> ------------------------------------------------------------------------
>
>
-- --------------------------------------- http://www.secgeeks.com get a blog on secgeeks :) register here:- http://secgeeks.com/user/register rss feeds :- http://secgeeks.com/node/feed Submit you security articles,send them to secgeek@secgeeks.com http://www.newskicks.com Submit and kick for new stories from all around the world. --------------------------------------- ------------------------------------------------------------------------ This List Sponsored by: Cenzic Need to secure your web apps? Cenzic Hailstorm finds vulnerabilities fast. Click the link to buy it, try it or download Hailstorm for FREE. http://www.cenzic.com/products_services/download_hailstorm.php?camp=701600000008bOW ------------------------------------------------------------------------
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:57:40 EDT