How do I maximise password security ?
A1. Before setting up any new User accounts, you need to prevent Windows from weakening it's own password security
To retain 'backward compatibility' with DOS 'LAN MAN security' (& Windows 95 / 98), Windows XP creates (stores) the 'LM Hash' of the first 14 characters of each password as it is entered. The 'LM Hash' is extremely easy to 'break' and numerous 'tools' are available on the web that will deliver the Administrators password to any 'script kiddie' standing in front of your computer in less than 30 seconds
Even if you use passwords of more than 14 characters, it's often very easy to 'guess' the rest of a long password if you have the first 14 characters:-)
See next Answer below (using gpedit) or disable LM Hash creation via the registry :-
1) Launch regedit (Start, Run, type regedit, and then click OK)
2) Find and open: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
3) Edit, New, DWORD Value, 'NoLMHash' and click ENTER
4) Edit, Modify, '1' and click OK
5) Restart your computer
To remove the existing LM Hashes, change the passwords of all existing User Accounts
On Windows 2000, instead of 'New, DWORD Value', you 'Add Key' of the same name (NoLMHash)
A2. To change passwords and create new User Accounts, go to Settings, Control Panel, Administrative Tools, computer Management & expand 'Local Users and Groups'
The 'User Accounts' icon that you might have found in the root of the Control Panel is a Microsoft 'joke' intended for those without Administrator rights so they can change their OWN password
How else can I enforce 'high level' security ?
A1. By default, XP will allow both DOS LAN MAN and NT LM, the 'NT' version LANMAN. Both are fundamentally insecure in that XP automatically generates a poorly encrypted LM Hash of the first 14 characters of all passwords
Whilst the LM Hash only operates on the first 14 characters of a password, it's often very easy to 'guess' the rest of a password if you have the first 14 :-) The 'LM Hash' is so easy to 'crack' that it gives away the Administrators password within 30 seconds
So the first thing to do is stop Windows creating and storing the LM Hash. This can be done via RUN, MMC. Add the gpedit 'snap in', open Local computer Policy, Windows Settings, Security Settings, Local Policies, Security Options. Locate the Network security: Do not store LAN Manager hash value on next password change' and set it to 'Enabled' (and then change all your passwords)
A2. In the Corporate DOMAIN, Kerberos is used instead. However Kerberos requires a Domain Controller, so in a Workgroup the 'best' security that is possible is NTLMv2 (which supports password up to 128 characters in length). The trick is to FORCE all your computers to use NT LM v2, instead of letting them drop back to the LAN MAN / NTLM level
To force your computer to use NTLMv2, in the above Security Options window, locate the 'Network Security: LAN Manager authentication level' key and set it to 'Send NTLMv2 response only\refuse LM & NTLM'
Note - whilst using gpedit on Local / Security options, you might want to set 'Interactive logon: Do not display last user name' to 'Enabled' (see next Q & A below)
How do I 'hide' my user account name ?
To log onto your computer, an intruder needs two things - the name of a valid user account and it's matching password
A1. Microsoft ("the hackers friend"), will, by default, display the name of the last user to successfully logon, thereby doing 50% of a 'wannabe hackers' job for them
To put a stop to this unfair hackers advantage, go to Start, Settings, Control Panel, Administrative Tools & launch the Local Security Policy utility. Expand 'Local Policies', choose the Security Options folder and change the "Interactive logon: Do not display last user name" to 'Enable'.
A2. Having stopped MS revealing the last logged in user name you now have to change the names of all the 'default' user accounts such as Administrator & Guest
Start by renaming the real Administrator Account to something else ('Guest1' is good, however 'admin' is not so clever). Then you create a NEW user account which you call 'Administrator' ... and make that a member of the 'Guests' User Group :-). Don't forget to change the 'Full name' and 'Description' of the accounts. The fake Administrator can be given a random 16 character password set to 'never be changed' and then forgotten about.
You will need to create a second real account with Administrator rights (for when Windows corrupts your primary logon) = Guest2 for example :-)
What else should I do to improve account security ?
A1. Block all the other unwanted accounts, especially any 'back door' accounts you might find (such as 'HelpAssistant', Full Name "Remote Desktop Help Assistant Account" and 'SUPPORT_nnnn', Full Name "CN=Microsoft Corporation, L=Redmond, S=Washington, C=US". Both of these accounts give 'legitimacy' to the fake 'I'm from Microsoft' callers (who will use them to get into your system)
Unwanted accounts should be Disabled** rather than deleted. First delete the password by setting it blank (= Windows will not allow accounts with blank passwords to be used for remote logon) - then set 'Password can not be changed' and 'Password never expires' and finally 'Account is disabled'.
**'Disable' is better than 'delete', because the Windows system will not allow another user account to be created with the same name as an existing one. If you 'delete' an account (such as HelpAssistant) it can be recreated (by the next Microsoft 'Update', no doubt), whilst if you 'disable' it, it remains useless
A2. Check the Group 'members' and remove all those accounts you are never going to use. Note, in particular, that 'Backup Operators' actually have MORE rights over system files than Administrators !
You goal here is to 'put off' the kids & their 'wannabe hacker' friends. Virus infections won't be fooled by simple account renaming or Group 'deny' permissions - Windows will run the Virus at 'System' level and bypass the permissions system completely
How to stop remote use of an Administrator account ?
You adjust the Administrators Group 'rights' to prohibit remote logon, of course
A common 'hacker' trick is to 'break in' with a 'low level' account (Guest etc) and then 'elevate' that account to the Administrators Group. If you prohibit Administrators from logging on remotely, anyone pulling this trick will suddenly find themselves denied remote logon.
Unless you are going to permit other computers to read & write files onto this computer, you should disable ALL remote log-on.
1) Go to Settings, Control Panel, Administrative Tools & launch the Local Security Policy
2) Expand Local Policies and select User Rights Assignment
3) Find the 'Access this computer from the network' key, and remove every User Group
Preventing user accounts on 'your' computer from 'logging on remotely' means it's impossible to 'log on', from another computer, to any 'share' on your computer. However (depending on the account settings on the other computer) this does not stop you 'logging on' to another computer to access 'shares' on that computer (see later)
What's a good password ?
A1. First, set both your 'real' Administrator Accounts to the same password - if your primary password is discovered, the 2nd account grants nothing extra .. and if (when) Windows 'locks out' your primary after a few years, what's the chance of you ever remembering the 2nd if it has a different password ?
A2. Next, your password should be at least 10 characters long and incorporate lower case, upper case, a space, a number and at least one 'special character' (this is 'practically uncrackable' using the common 'Rainbow table' attack)
It only requires an 87 Gb table to crack NTLM passwords up to 7 characters. To extend this to 8 characters requires a 1050 Gb table (such tables can be found quite easily). We can thus assume 9 chars will require a 10Tb table and 10 chars 100Tb (both a beyond the limits of the 'casual' script kiddie)
Pick something you can 'remember' and turn it into a 'hard to guess' version by substituting 'special' characters in a few places. Note that a 'good trick' is to start or end with a 'space' and, when you write it down, DON'T include the 'special characters' substitution ... when your ' P@s$w0rD' is written down as ' password', 'password' or 'password ' (without the quotes) they all look the same to some-one (i.e. your kids) looking over your shoulder
P@s$w0rD is actually not that hard to guess = so don't use it. Anyway, you should avoid the 2 pairs of characters (£ or #, " or @) that depend on a 'UK Keyboard' layout (otherwise, when Windows 'forgets' your Keyboard layout settings, and reverts to the default US setting, you are going to find yourself locked out :-) )
A3. Any 'hard to guess' password is also easy to forget ... so will have to be written down. Don't worry - just add it to the back of a Business card and put it in your wallet (if you loose your wallet, your computer password is the last thing you are going to be worrying about). DON'T add your user account name to the card .. (some-one finding a business card with a string of odd characters written on it means very little .. a card with 'Guest1' and a some odd characters written on it means a whole lot more).
If you want to avoid writing anything down, I suggest using your Credit card number with 'reverse' letter substitution (1234 5678 9012 3456 becomes a totally uncrackable 19 digit password 'l2e4 sb7B go12 e4sb')
A4. To give yourself at least half a chance of NOT having to consult your written down password (and thus display it for all to see) make sure that your 'Screen Saver' is set to 'wait 5 minutes' and 'On resume, password protect' = the more often you have to enter your password the easier it will be to remember.
There is no point in 'going totally overboard' = anyone who can gain physical access to your computer can simply reboot (after resetting the BIOS password - see below) using a Clonezilla 'Live CD' and copy the contents of your hard drive for later examination at leisure. Unless you use Windows 'encryption' (not really a good idea = see later) it will be simpler to extract your files than to crack a 'complex' 10 digit password
Should I use a BIOS Password ?
A1. Yes, if you have kids. A BIOS password prevents the immediate use of a 'Live CD' (assuming you set the 'boot order' to 'Hard disk first'). When the computer is rebooted, the motherboard will ask for the BIOS Password before even starting to access any of the drives. This delays the use of a Live CD since the computer case has to be opened in order to bypass the BIOS Password (by resetting or removing the BIOS battery) before the boot order can be changed
A2. Yes, on a Laptop. Resetting the Laptop BIOS often means having to dismantle the case which helps deter thieves from selling it (so there's some chance it will still be sitting around gathering dust when the criminal is eventually caught - at which point your postcode written on it (using a UV ink pen) will mean it comes back home to you)
A3. No, on a desktop, if you don't have kids. There's little point in using a BIOS password on a desktop since it's so easy to remove the case and reset the BIOS
Many modern computer cases have a 'lock bolt' point, intended for Company use (so the computer can be fixed to a work desk making it harder to steal). Fitting a padlock to the 'lock bolt' point will stop the case being opened = however, the chances are, that when you need to open the case in a few years to replace a failed disk drive, the key will be nowhere to be found ....
How do I setup a 'Remote User' account ?
If you wish to allow others access to some 'share' on your computer, your should create an account for them to use that has access to THAT SHARE ONLY. So, for example, if you have a 'share' called eg. 'photo$' (the trailing '$' will hide a share from anyone who is 'searching' or 'browsing' - only those who know the exact name will be able to complete the 'Map Network Drive' function) you should create a new user account eg 'Photo Share' for them to use.
An account that is 'known' to remote users could be used by some-one sitting down in front of your computer to get local access. To prevent this, go to Control Panel, Administrative Tools, Local Security Policy, expand Local policies, User Rights Assignment. Find the 'Deny logon locally' key and add the 'Photo Share' account
After creating the account, go to your share ('photo$') folder, right click for Properties, select Security and add the 'Photo Share' user with full control (assuming that's what you want them to have) = you don't have to worry about any other user 'accessing' the share remotely since all the other accounts on your computer are 'Denied Remote Log-on' rights
For more suggestions on how to protect your shared data (e.g. set up the share Security 'permissions' so that a user can add photos to a share but not delete them) and how to monitor what the share users are doing, see 'Setting up your Home Server / NAS User Accounts' later.
Should I use Windows Encryption on files in a NTFS folder ?
No, I do not recommend it. First Windows will just decrypt the files for anyone who is able to log-in as an Administrator (and 'take control') and second, sooner or later your hard drive will fail and you won't be able to 'launch' Windows. At that point, any encrypted files might as well be random numbers (re-installing Windows will not 'recreate' the Encryption Key since you will get a new SSID)