The Cranium Cabinet

He guards Hades...

Yesterday and today I attended a couple sessions on Kerberos, Windows Security, and why to never use NTLM ever again.

In both sessions (SIA301 and SIA401) the speaker was Mark Minasi. He was a pretty good speaker, very energetic, strays from the topic occasionally, but all in all pretty good. He’s also a super-nerd, but hey, I guess they all are here.

The first session really boiled down to three things:

1. Get your users on board with security. This means no more post it notes, and definite consequences for violating the security policy.
2. Get rid of NTLM, NTLMv2, and most definitely LANMAN.
3. Start using PKI, certificates, and Smart Cards in your domain as soon as possible.

Windows 6 (Vista) and 7 do not use LM Hashes by default, so that is something you don’t have to worry about. But for the rest of us using XP, you can disable those nasty authentication methods with Group Policy. We all know this, and I think Server 2003 R2 does it by default, but you need to have at least an 8 character password, even though thats not really enough. Moore’s law makes that pretty crackable in a small amount of time, so I think the standard will be 12 characters pretty soon, then more and more and more as technology progresses. Obviously, the more complex a password, the more likely a user is to write it down somewhere, which is why PKI and Smart Cards are the way to go.

Cracking open Kerberos really help me understand the way that the Ticket Granting Ticket, Ticket Granting Service, and Service Tickets work. I would explain the whole thing, but if you don’t really get techno-stuff, it won’t really be of any value to you. All you need to know is that it is very secure and almost impossible to hack, especially since by default your hash changes every 10 hours.

That’s about it for the Windows Security stuff, a lot of new enchancements in 6 and 7 using UAC as well as disabling NTLM by default.