5. Implementing Password Policies (OBJ 1.5)
In this lesson, we’re going to jump into the lab and I’m going to show you how to create good group policies for your passwords. We’re going to focus on four key areas. We’re going to talk about complexity length, password reuse and password age. Let’s go ahead and jump in the lab environment and get started. In order for us to create our password policies, we’re going to use the Group Policy Editor. I’m using a Windows Ten machine here on a local computer network that is not part of a domain. If you’re using a domain environment, you can use your Global Policy Orchestrator, but for a local machine, we’re going to stick with the Group Policy Editor. Now, to do this, we’re going to go to our computer configuration and click on Windows Settings. And then we’re going to select underneath it the security settings.
Underneath security settings, you’ll see that we have account policies and inside there we have the password policy. Now, you’ll see that there are several different settings here, including enforcing the password history, the minimum age, the maximum age, the minimum password length, the password that must meet complexity requirements, and storing your passwords using reversible encryption. So first we’re going to go through and we’re going to set up our complexity. Complexity talks about how that password needs to be. Does it need to have upper case and lowercase special characters and numbers? So if we right click it and go to Properties, we can then select it and just simply enable it and hit apply. This is going to require that our password now have complexity. It means it’s going to have at least characters from three of the following four categories.
That would be uppercase, lowercase numbers and special characters. So if I have something that has password, one exclamation that would meet password complexity according to this definition, next we’ll hit OK and we’re going to go to our next thing, which is going to be our minimum password length. Right now, that is zero characters. Zero characters means I can have a blank password. Now, if you remember from my lessons, what did I recommend that we use something of at least 14 characters or more. According to the Security Plus exam, we want at least eight characters, and so we would have a minimum of eight characters. But for your security and mine, I’m going to use 14 characters. And again, you’ll hit apply. And if you look at the explanation, it explains that you can have it, anything between one and 20 characters. And if you have it set to zero, it would be no password.
Go ahead and hit OK. And the next thing we’re going to do is our password age.How old must our password be? Can our password be changed and be zero days? That’s fine. What is the maximum? Right now? It’s saying 42 days. That means every 42 days I’m going to have to change that password. If you remember what I recommended? It was something like 90 days, right? And so we can hit apply and we can go to explain. 42 is a fine number. It’s short, but that’s the default that they have right now, someplace between 30 and 90 days. If it’s for your home network, 90 days is sufficient. And we’ll have you changing it often enough. You can actually change this anywhere between one and 999 days. You can also set it so that it never expires. I do not recommend doing that.
And our final setting is password history. This means how many passwords will Windows remember and not let you use again? For example, let’s say my password was password, and then I changed it to password one, and then I change it to password two. That is three different passwords I’ve used. So if I set that to three, I would then have to make another one called password three before I could go back to the original one of password. That’s the idea here. Generally, in high security environments, you want something like 24. If you’re in a lower security environment, something like five would be fine. Because if you change it five times and you’re doing it every 90 days, that means you’re going to go about a year and a third before you have to change it again, or about a year and a half. And if you go to the explanation again, this gives you that same explanation.
If you have zero, that means you can constantly reuse the same password. So if I require you to change your password every 90 days, but I left the password history at zero, guess what I can do? Change my password to the same password. And that resets the 90 day clock and go again. Not a very good thing for security. So now you understand some of the basic group policies that you can set inside here for your passwords. And something like this is a fairly adequate setup for a small or medium sized business if you want to make it more secure. You can do that by minimizing the password age, take that down to 30 days maybe, and maximizing your password history something more like 24. And so that’s the idea here when you’re using your local group policy editor, if you’re doing this on a domain, you can then take that and push this policy out to every single computer on the domain. And they’ll all have to follow your new strong password policy.
6. Cracking Weak Passwords (OBJ 1.5)
In this lesson, I’m going to show you how you can test Credential security on your network. Now in this demonstration, I’m going to do it locally using a Kali Linux machine and looking at the hashes on that particular machine. But if you want to test across your network, you could gather those hashes using some method like network sniffing or using other tools on your network devices and then putting those hashes through this tool. And so we’re going to use John the Ripper, which is one of the most common password crackers out there. Now to do this, we’re going to try to crack the password for this Kali Linux machine. Now I’ll tell you right now the password is T-O-O-R which is a very standard password that’s used by Kali Linux by default when you install it. But we’re going to go ahead and go through the process of trying to crack that now. So before we can try to crack those hashes, we have to gather those hashes from the Kali Linux machine.
Now by default, inside Kali Linux, these passwords are stored inside the password file and as a shadow inside the shadow file. So we’re going to grab both of those and put those into a file for us called my password. So we’ll do that by typing unsha do wettsy password and the netsy shadow. And then we’ll pipe that over to the file password TXT and it’s done. So now if I hit LS, you’ll see that there is the password TXT file. So what does that password file look like now?
Well, let’s go ahead and print it to the screen so that you can see it. And I’m just going to do more password TXT. And you’ll see here you have your usernames on the left and then what group they’re associated with it and how they’re going to be logging on. Now, under root, you’ll see that long hash there at the top? That dollar sign, six dollar sign you all the way through across the top. That is the shadowed password, the hash of it that we’ve captured. Now, how do we crack that? Well, that’s where John the Ripper is going to come in handy. So let me go ahead and clear my screen here. And what we’re going to do is type John password TXT and hit enter.
And John’s going to go through and try to crack that password. Now it already says it found it. It was very, very quick. And so to show that password, we’ll just type in JohnsHOW and then the file that we had used, which was password text. And so you can see that Root was the username and Tor was the password. You can see just how quickly John can go through and decrypt these hashes back into something that’s usable for us, which is the password. And now I could log into the system as root with password Tor with no problem.
7. Multifactor Authentication (OBJ 1.5)
Before a user gains rights to use a particular resource, they should have to prove their identity. Now, in access control, we use identification and authentication to share resources from unknown users. When a user first requests to access a resource, they must provide their identity. This process is known as identification. Next, their identity must be verified. This process of validating the identity of the user using a unique identifier and approved credentials is known as authentication. Often students get these two terms confused. Just remember, identification is provided by the user as a claim to who they are and they may be provided through a username, an account number or even a Social Security number. Authentication, on the other hand, occurs on the access control side.
This occurs once the identification, such as a username, is checked against a validated credential such as your password. Now, as the security of our networks becomes a primary concern to our organizations, security professionals need to continue to seek better ways to increase that security. Some have been attempting to simply create more difficult and more challenging password schemes to create a more secure network. These schemes now require users to remember passwords that have uppercase and lowercase numbers and symbols and use passwords over 14 characters in length. However, many studies have shown that this doesn’t truly increase the security of the network because the users will simply write down these complex passwords or reuse those passwords across multiple accounts. To better increase the security of your network, you should instead rely on multifactor authentication.
This is because it is exponentially more secure than a long, complex and hard to remember password. So what exactly is multifactor authentication? Well, multifactor authentication, also known as MFA, is simply the use of two or more means or factors to prove a user’s identity. There are five factors of authentication that can be considered when you’re validating a user’s identity. These are knowledge, ownership, characteristic, location, and action. The knowledge factor involves a user providing a piece of memorized information something like a username, a password, a pin, a combination to a lock or their mother’s maiden name, their Social Security number, their place of birth or anything else that could be memorized and recited. When asked by that authentication system, the ownership factor involves the user proving they have something in their possession that uniquely identifies them.
This ownership or possession factor is commonly achieved using token devices like a key fob that displays a random code every 60 seconds that the user enters into the system. Or a smart card that’s inserted into a reader on the computer, or a USB dongle with an encryption key that’s connected to the computer. Or maybe it’s an authentication mechanism that sends a unique and random number to your smartphone as a text message and that way you enter that number to log into the machine. All of these are ways to prove you have some kind of physical thing in your possession that serves as a token. The characteristic factor relies on something that is defined by the person’s being. This is usually accomplished by using some form of biometric technology, like a fingerprint reader, an iris scan, or a facial recognition unlock feature.
For example, older iPhones used a fingerprint reader in the home button that would be used to unlock the phone, whereas the newer iPhones utilize dual front facing cameras to implement a more secure version of facial recognition. Another form of a characteristic factor could be a vocal pattern recognition, which is currently used by some banks to identify their unique customers over the phone. The next factor we have is known as the location factor. The location factor refers to where a person is when they’re trying to log into an account. For example, I travel a lot for my work, and when I attempt to log into my Gmail account when I’m traveling, the system will often flag me as something unusual and ask me for a second piece of information to verify my identity to validate.
It really is me who’s attempting to log in from this new location. I’ve also worked at some organizations that require a user to be within a certain city, a certain state, or a certain country before they can log into the network based on their device’s GPS location or the IP address from which they’re attempting access. The action factor is our last factor, and this refers to something a user does. To be honest, this is not a commonly used factor in most networks, but I have come across it a few times. For example, the action factor might rely on how something is performed, such as how you sign your name or draw a certain picture, or the way you walk in front of a visual sensor before a door unlocks. All these are action factors. Now, if you use only one of these five factors, it’s going to be considered single factor authentication. For example, if you log in using a username and password, this is considered a single factor authentication because both of those pieces of information are considered knowledge factors. You memorize a username and you memorize a password in order to increase security, it’s really important that you use at least two factors of authentication. This is commonly known as twoFA.
Now, for example, I used to work for an organization that required me to insert my employee ID batch into a smart card reader on the computer, and then I would enter a Pin number to log into my computer each day. This is considered two factor authentication because I have an ownership factor, my identification card, and a knowledge factor, the Pin number I memorized to prove my identity. Even if you had my identification card, you can’t log in without my Pin. Similarly, if you have my Pin but you don’t have my identification card, you can’t log into the computer either. That is the power of two factor authentication. Now, in addition to two factor authentication, you’ll also hear the term multifactor authentication.
Now, multifactor authentication or MFA occurs if you have two or more factors of authentication required. For example, you may need your smart card, your Pin number and your location must be within the same country as the network you’re logging into. That would be three different factors. And because we have these three distinct factors, this is considered multifactor authentication that we’re going to be using during that login. Now, high security systems often use multifactor authentication. Instead of relying on only one or two factors of authentication, there may be a mixture of three, four or even five factors depending on the security of the system. Security is constantly evolving and so additional mechanisms of authentication have to be developed.
One of the most secure of these is the use of onetime used passwords. These are implemented using either a timebase or hash based mechanism with the time based one time password algorithm or TOTP. A password is going to be computed from a shared secret and the current time. This is often used to create seemingly random integers displayed on an ownership factor like a physical token. Now, since these passwords are constantly changing every 30 to 60 seconds, they can only be used one time before they change. Again, this time based approach is actually a variation of the hash based approach known as HMAC based One Time Password Algorithms or HOTP. This algorithm computes the password from a shared secret and is synchronized across the client and the server.
Each time the password is used to log in, a new password is created using the hash based algorithm and synchronized again across the client and the server. Another consideration with your multifactor authentication is whether the authentication factors will occur in band or out of band. Now, an inband authentication factor relies on an identity signal from the same system that’s requesting the user authentication. For example, if you’re using your smartphone to log into your banking app and the bank sends you a text message with a one time password or Pin to that same smartphone, this is considered an inband authentication. Similarly, if you’re logging into a website on your computer and the website sends you a one time use password or Pin to your email, you’re going to be accessing that on the same computer. And again, this is considered in band authentication.
Now, in band authentication factors are generally considered to be less secure than using an out of band factor. An out of band authentication factor is a type of two factor or multifactor authentication that uses a separate communication channel to send the one time use password or Pin. For example, if you have an RSA key Fob that receives a new onetime Pin every 30 to 60 seconds, this is considered an out of band authentication mechanism because you’re going to enter that Pin into your smartphone or your computer to complete your authentication. The reason an out of band authentication is considered more secure is that the attackers would have to simultaneously compromise two different communication channels to take over your authentication instead of just one.
Now, if your enterprise network requires a higher level of security, you should definitely opt for implementing two factor or multifactor authentication systems that rely on an out of band authentication system because they are considered more secure.