Considering Cost When Designing Security

By Author: Anna Jones
Total Articles: 60
Comment this article

What are possible solutions to this problem?
Change Group Policy to allow LM, replace MCSE Certification with Windows XP, or add the Active Direc-tory Client and configure Windows 98 to use NTLM.
What is the most cost-effective answer to this problem?
Reconfigure the Windows Server 2003 domain controllers to allow the use of LM.
Why is this the most cost-effective solution?
It takes only a simple change to Group Policy. Another option would be to install the Active Directory client and configure workstations, but that would cost money in the form of adminis-trator time. A third option would be to replace all the workstations, but this would also be costly.
What should you do to solve the problem and improve the security process?
Explain your answer.
Upgrade Windows 98 computers to Windows XP Professional. Although adding the Active Direc-tory client to Windows 98 and configuring it to use NTLM will provide a secure authentication interface between the Windows 98 computers and the Windows Server 2003 domain, it pro?vides no additional security ...
... benefits for the desktop computers or the overall domain. Upgrad-ing to MCSE Exams enables the use of Group Policy and file access security.

1. Design an account policy for the research domain. Include settings for both the password and account lockout policy.
Answers may vary. The following table describes the configuration of the password and account lockout policies recommended for this research domain. Additional effort should be made to increase security with a written policy, some items of which cannot be implemented with tech-nical controls, but must be enforced via other means. Training will help. In addition, each employee with access to the resources in the research domain should be fully aware of the policy and be convinced of the necessity of its implementation.

Requiring a minimum of 15 characters eliminates the use of password-cracking tools, which can crack only the LM hash and then use it to deduce the NTLM hash. While Kerberos will be the default authentication protocol in this domain, there are instances when NTLM can be used. In addition, unless all systems are properly config?ured, the LM hash is created, used (in addition to the NTLM hash) in responding to an NTLM challenge, and stored in the Active Directory database.
This setting requires at least the minimum of complexity requirements.
This setting should not be changed from the default, as to do so would weaken security.
Administrative reset should be required to unlock locked-out accounts. This will prevent the success of an auto?mated attack that returns to locked-out accounts after waiting for accounts to be unlocked.
Because a locked-out account must be reset by an administrator, a large number of free Cisco question papers incorrect logon attempts can be allowed.