Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: ADSI question

from [Joseph Clark] Network Security [Permanent Link]
Subject: Re: ADSI question
Date: Thu, 26 Aug 2004 18:49:52 -0700 
If you want to find people with really bad passwords you could run a
dictionary password cracker aginst the LM password hashes.

On Thu, 26 Aug 2004 08:58:35 -0500, Bruce K. Marshall <bkml@att.net> wrote:

Paul,

The only ways to measure a password's quality is to either guess them
(online) or crack them (offline).  If you exported the LM password hashes
you could tell whether they were shorter than 8 characters, but any other
info requires cracking.  We've been providing clients with 'password policy
compliance' reports where we crack the passwords and then compare the
findings to their existing or planned policy.

If you do an in-place migration you'll still be stuck with the previous
passwords.  You can turn on password complexity, but that won't be enforced
until the next password change.

Scripting can tell you some cool stuff, such as when the user last logged
into the domain and when they last changed their password.  But it won't do
anything related to password quality.

----
Bruce K. Marshall - bmarshall@securityps.com - 913-484-7233
Security Professional Services, Inc. - Kansas City

----- Original Message -----
From: "Paul Aviles" <paviles@adjoined.com>
To: <focus-ms@securityfocus.com>
Sent: Wednesday, August 25, 2004 11:30 AM
Subject: ADSI question

Is it possible to use ADSI to query user accounts and find if they are
using a strong password? Before using GPO's to enable it, I need to have
an audit and show how many people don't have them.  Is this a property
of the users?

Also, I believe that when you install AD in a new environment by default
it has strong password enabled. Is that the same when you do an in place
migration?

Thanks

Paul

---------------------------------------------------------------------------
---------------------------------------------------------------------------

---------------------------------------------------------------------------
---------------------------------------------------------------------------




---------------------------------------------------------------------------
---------------------------------------------------------------------------
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  RE: ADSI question, Matthew.van.Eerde
Next by Date:  RE: ADSI question, Paul Aviles
Previous by Thread:  Re: ADSI question, Bruce K. Marshall
Next by Thread:  Password policy enforcement tools was RE: ADSI question, Eric Peeters
Indexes:  [Date] [Thread] [Top] [All Lists]