Passwords are often the front line defense in any network. This assignment focuses on password policy settings in Microsoft Windows. We will be setting the policy in Windows XP, but the features are similar in most Windows operating systems. We will be sharing the same computer for this assignment. Please reset everything you changed back to the original before you leave the computer.

You are going to be connecting to our SAIL (Security and Assurance of Information Lab) Lab through a VPN tunnel. The VPN client software is available on the assigment page on my website for you to download. You will also be using a program called RealVNC (http://www.realvnc.com/) that will allow you to remotely connect and control another computer.

Pre-assignment:

1. Download the VPN client software from WebCT and install it on your computer.
2. Run the VPN client and create a New connection
1. Use a name you will recognize for Connection Entry
2. I will give you the host name in WebCT
3. I will give you the group name and password in WebCT
3. Click on Connect; I will give you your username and password in an email via WebCT
4. You are now inside the virtual SAIL lab and able to connect to any of the computers there

1. Download and install the VNC viewer (http://www.realvnc.com/).
2. Connect to one of the Windows XP computers: SAIL-1,SAIL-2, or SAIL-3. (IP addresses, usernames and passwords are available on WebCT) as Admin1 [IMPORTANT: right mouse click in the title bar at the top of the VNC screen and select "Send CTRL-ALT-DEL" to log onto a computer using VNC]
3. Create a new standard user with your first initial and last name as the username (e.g. wsummers)
4. Explore the systems

Assignment - PART I: Setting Password Policy

1. Setting Password Length
   1. Log onto Sail1, 2 or 3 as admin1
   2. Select Start | Control Panel | Administrative Tools | Local Security Policy
   3. Find Password Policy in Account Policies
   4. What is the minimum password length?
   5. Change the minimum length to 9 and click OK
   6. Log off
   7. Log on as user1 with password password
   8. Send a CTRL-ALT-DEL and click Change Password if you have a Windows 2000 type logon screen. Otherwise, you will need to go the User Accounts icon in the Control Panel
   9. Type in a new password that is less than 9 characters.
   10. What message did you get?
   11. Change the password to password1
   12. Log off and back on to user1 to test what you have done
   13. Log off
2. Password Complexity
1. Log onto Sail1, 2 or 3 as admin1
2. Select Start | Control Panel | Administrative Tools | Local Security Policy
3. Find Password Policy in Account Policies
4. Enable Password must meet complexity requirements and click OK
5. Log off
6. Log on as user1
7. Send a CTRL-ALT-DEL and click Change Password
8. Type in password for the new password.
9. What message did you get?
10. Try password1 and password2 as the new password
11. What message did you get?
12. Try Password1. What happened? Why?
13. Log back in as admin1 and reset the password length back to 6 and turn the password complexity off.
3. Preventing the Display of Last Logon Name
1. Log onto Sail1, 2 or 3 as admin1
2. Select Start | Control Panel | Administrative Tools | Local Security Policy
3. Find Security Option in Local Policies
4. Enable Do not display last user name in login screen
5. Log out and back in
6. What difference did you notice?
4. Setting Account Lockout Policy
1. Log onto Sail1, 2 or 3 as admin1
2. Select Start | Control Panel | Administrative Tools | Local Security Policy
3. Find Account Lockout Policy in Account Policies
   1. How many invalid logon attempts are permitted?
   2. Change invalid logon attempts to 3.
   3. How long is the account locked out?
   4. Change the time to 20 minutes.
4. Logout and try logging in to user2 three times without entering the password. Try again a fourth time. What happens?
5. You've locked up the account and can either wait 20 minutes or log on as admin and reset the account.
5. *****Log back in as admin1 and reset the policies that you just changed.*****

Post-assignment: Answer the following questions -

• what are the minimum and maximum password age on this computer? Why are they important?
• What is the difference between Local Polices and Account Policies?
• How complex is the password complexity? Can you modify the complexity? What should be included?
• What is the purpose of setting a lockout policy?

Discussion Questions

1. You are now ready to secure your Windows computer. Review http://csc.ColumbusState.edu/summers/Chaut2003/security/LAB-4.htm for a more complete description of how to lock down the computer. In the WebCT discussion, discuss what you learned about securing the Windows operating system. What features are important? What shouldn't we worry about?

Assignment - PART II: Auditing Passwords

1. Make sure that you can connect to the VPN using the VPN client software using the same procedure you followed above.
2. Click on Connect and use your username and password from above.
3. You are now inside the virtual SAIL lab and able to connect to any of the computers there
4. Use VNC to connect to SAIL-1,2 or 3 (IP addresses, usernames and passwords are available on WebCT) as an Administrator [IMPORTANT: right mouse click in the title bar at the top of the VNC screen and select "Send CTRL-ALT-DEL" to log onto a computer using VNC]. This is a Windows XP Professional computer.
5. You will need to log in as admin1 (password available via WebCT)
6. We will be using a commercial version of l0phtcrack from @Stake called LC4. Read the LC4 documentation found from the Program Menu.

1. Auditing the Password Hashes
   1. Log onto Sail4 as admin1
   2. Select Start | Programs | LC4
   3. Run LC4 on the local machine, using the common password audit, with all of the displays turned on.
   4. What are passwords for users:
      1. babbage
      2. chambers
      3. dell
      4. gates
      5. lovelace
      6. pascal
   5. Did it make any difference to add extra characters to dictionary words?
   6. Log out

   Post-assignment: Answer the following questions -

   • How would you obtain the passwords from Sail3 (Windows 2003 computer)?
   • How would you obtain the passwords from Sail8 (Linux computer)?
   • Assuming you get the password hashes from both Sail3 and Sail8, which would be easier to crack and why? Research this question, DON'T guess.
   • There were several accounts in Sail-1,2, or 3 that we did not obtain the passwords for? What would be needed to get those passwords?
   • What is the purpose of setting a lockout policy?
   TURN YOUR ASSIGNMENT IN USING THE DROPBOX IN WEBCT

   Discussion Questions

   1. Discuss what you would include in a password policy as part of our security awareness policy.