Ensure a complex password filter is installed and configured to enforce password complexity requirements.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-2906	AD.4034_2008	SV-28510r2_rule	IAIA-1	Medium

Description
Weak passwords are easily broken with readily available hacker tools. They can give an intruder access to the system with the privileges of the account whose password was broken.

STIG	Date
Active Directory Service 2008 Security Technical Implementation Guide (STIG)	2011-05-23

Details

Check Text ( C-12539r3_chk )
1. Obtain permission to run the John the Ripper utility. 2. Ensure that the team lead has notified the site that the review will require running the John the Ripper utility. Also, include this information in the in-brief. 3. Obtain an account with administrator rights from which to run the script. 4. To run the script, double click on ‘pwchk.cmd’ 5. When prompted to save the output to floppy (Y/N). If Yes, then insert a floppy disk. The output files will be copied to drive A. If No is selected, the output is saved to the hard drive in the directory C:\temp\srr\output and no option to remove the output is provided. 6. If save to the A drive was selected, follow the prompt to remove the output from the hard drive (Y/N). If Yes is selected, the output is sent to the recycle bin. If No is selected, then the output is maintained in the C:\temp\srr\output directory. 7. The output consists of four files. Review the output and consider a password cracked only if a recognizable portion of the password has been identified. This is because the Easycheck.txt and Hybridcheck.txt output reflect passwords as being cracked, even if only one character has been identified. 8. Count how many passwords were cracked. If weak passwords are uncovered, verify that a complex password filter is installed properly (i.e., PPE, etc.) and that it is configured to enforce password complexity requirements (PPE – 14 characters, mix of upper case letters, and at least one each of the following: lower case letters, numbers, and special characters. 9. Remove output files from the machine and properly store or destroy printed output. 10. If a password filter is not installed and configured, then this is a finding. 11. If output from the password strength checking scripts indicates that there are weak passwords on the system, then this is a finding. Supplementary Notes: Use Notepad to view the output files. Note that the following various example files indicate the absence of a password: ”Guest:NO PASSWORD:501::”, and would be a finding. Easycheck.txt contains a list of passwords where one or more characters were easily discovered. ---------EXAMPLE of Easycheck.txt output file------------------------------------------------ Administrator:NO PASSWORD:500::: Guest:NO PASSWORD:501::: 2 password hashes cracked, 9 left --------------------------------------------------------------------------------------------------------- Hybridcheck.txt contains a list of passwords where one or more characters were discovered using the rules and/or dictionary. ---------EXAMPLE of Hybridcheck.txt output file------------------------------------------------ Administrator:NO PASSWORD:500::: Guest:NO PASSWORD:501::: TestUser2:password:1110::: TestUser3:superman:1111::: 4 password hashes cracked, 7 left --------------------------------------------------------------------------------------------------------- 127.0.0.1.pwdump contains the local SAM file that John the Ripper uses to crack passwords. ---------EXAMPLE of 127.0.0.1.pwdump output file-------------------------------------------- Administrator:500:NO PASSWORD*******************:NO PASSWORD*****************::: Guest:501:NO PASSWORD*****************:NO PASSWORD*****************::: krbtgt:502:NO PASSWORD*****************:47C4F34CF03E2A9AD81EB85CA0888F77::: SUPPORT_388945a0:1001:NO PASSWORD*****************:4BD973FA18F1605670C35FD02580F3BB::: TestUser:1108:E6AE98BD19BBF81DBFB9CD018740B5B8:7B5B74F147638B6A24D78A1E3880A2DE::: TestUser1:1109:NO PASSWORD*****************:F97DCC88373417A0D7E59AD9B2ADE86D::: TestUser1_history_0:1109:42791C31A0391A6F72B29400B120B36D:D6E7767D7AB3EB0DF541057F13A502D3::: TestUser2:1110:NO PASSWORD*****************:8846F7EAEE8FB117AD06BDD830B7586C::: TestUser2_history_0:1110:73B62BA474E6B300D553083889BF4874:7ECFFFF0C3548187607A14BAD0F88BB1::: TestUser3:1111:NO PASSWORD*****************:72F5CFA80F07819CCBCFB72FEB9EB9B7::: DISATEST-W2K3DC$:1005:NO PASSWORD*******************:451135221C2FEB938E684CD685388BD2::: --------------------------------------------------------------------------------------------------------- John.pot contains the hash and the character(s) of the passwords that were cracked. Note: Open this file using Notepad. Sample of John.pot hash file: ---------EXAMPLE of John.pot output file------------------------------------------------------- $NT$8846F7EAEE8FB117AD06BDD830B7586C:password $NT$72F5CFA80F07819CCBCFB72FEB9EB9B7:superman ---------------------------------------------------------------------------------------------------------

Check Text ( C-12539r3_chk )

1. Obtain permission to run the John the Ripper utility.

2. Ensure that the team lead has notified the site that the review will require running the John the Ripper utility. Also, include this information in the in-brief.

3. Obtain an account with administrator rights from which to run the script.

4. To run the script, double click on ‘pwchk.cmd’

5. When prompted to save the output to floppy (Y/N). If Yes, then insert a floppy disk. The output files will be copied to drive A. If No is selected, the output is saved to the hard drive in the directory C:\temp\srr\output and no option to remove the output is provided.

6. If save to the A drive was selected, follow the prompt to remove the output from the hard drive (Y/N). If Yes is selected, the output is sent to the recycle bin. If No is selected, then the output is maintained in the C:\temp\srr\output directory.

7. The output consists of four files. Review the output and consider a password cracked only if a recognizable portion of the password has been identified. This is because the Easycheck.txt and Hybridcheck.txt output reflect passwords as being cracked, even if only one character has been identified.

8. Count how many passwords were cracked. If weak passwords are uncovered, verify that a complex password filter is installed properly (i.e., PPE, etc.) and that it is configured to enforce password complexity requirements (PPE – 14 characters, mix of upper case letters, and at least one each of the following: lower case letters, numbers, and special characters.

9. Remove output files from the machine and properly store or destroy printed output.

10. If a password filter is not installed and configured, then this is a finding.

11. If output from the password strength checking scripts indicates that there are weak passwords on the system, then this is a finding.

Supplementary Notes:

Use Notepad to view the output files. Note that the following various example files indicate the absence of a password: ”Guest:NO PASSWORD:501::”, and would be a finding.

Easycheck.txt contains a list of passwords where one or more characters were easily discovered.
---------EXAMPLE of Easycheck.txt output file------------------------------------------------
Administrator:NO PASSWORD:500:::
Guest:NO PASSWORD:501:::
2 password hashes cracked, 9 left
---------------------------------------------------------------------------------------------------------

Hybridcheck.txt contains a list of passwords where one or more characters were discovered using the rules and/or dictionary.
---------EXAMPLE of Hybridcheck.txt output file------------------------------------------------
Administrator:NO PASSWORD:500:::
Guest:NO PASSWORD:501:::
TestUser2:password:1110:::
TestUser3:superman:1111:::
4 password hashes cracked, 7 left
---------------------------------------------------------------------------------------------------------

127.0.0.1.pwdump contains the local SAM file that John the Ripper uses to crack passwords.
---------EXAMPLE of 127.0.0.1.pwdump output file--------------------------------------------
Administrator:500:NO PASSWORD*********************:NO PASSWORD*********************:::
Guest:501:NO PASSWORD*********************:NO PASSWORD*********************:::
krbtgt:502:NO PASSWORD*********************:47C4F34CF03E2A9AD81EB85CA0888F77:::
SUPPORT_388945a0:1001:NO PASSWORD*********************:4BD973FA18F1605670C35FD02580F3BB:::
TestUser:1108:E6AE98BD19BBF81DBFB9CD018740B5B8:7B5B74F147638B6A24D78A1E3880A2DE:::
TestUser1:1109:NO PASSWORD*********************:F97DCC88373417A0D7E59AD9B2ADE86D:::
TestUser1_history_0:1109:42791C31A0391A6F72B29400B120B36D:D6E7767D7AB3EB0DF541057F13A502D3:::
TestUser2:1110:NO PASSWORD*********************:8846F7EAEE8FB117AD06BDD830B7586C:::
TestUser2_history_0:1110:73B62BA474E6B300D553083889BF4874:7ECFFFF0C3548187607A14BAD0F88BB1:::
TestUser3:1111:NO PASSWORD*********************:72F5CFA80F07819CCBCFB72FEB9EB9B7:::
DISATEST-W2K3DC$:1005:NO PASSWORD*********************:451135221C2FEB938E684CD685388BD2:::
---------------------------------------------------------------------------------------------------------

John.pot contains the hash and the character(s) of the passwords that were cracked. Note: Open this file using Notepad. Sample of John.pot hash file:
---------EXAMPLE of John.pot output file-------------------------------------------------------
$NT$8846F7EAEE8FB117AD06BDD830B7586C:password
$NT$72F5CFA80F07819CCBCFB72FEB9EB9B7:superman
---------------------------------------------------------------------------------------------------------

Fix Text (F-5786r3_fix)
Install and configure a complex password filter to enforce DoD password complexity requirements.