This should be pretty obvious, but a lot of people don’t seem to be aware of this old trick. Normally, if you try to guess another user’s password and it fails, the attempt will show up in the event viewer of the domain controller. However, there is a way you can try to guess an account’s password without the attempts ever being logged.

It’s actually pretty simple: just unplug your network cable. Read the rest of this entry »

Many people tell me they are surprised with how much effort I put into hardening Windows Server 2003–the last hardening document I wrote for a client was 112 pages long. That’s not 112 pages of writing, policy, and how-to’s, that’s 112 pages of nothing but settings. The process itself involves the modification, removal, or locking down of over 5,000 Registry keys and system files. Read the rest of this entry »

I finally finished my Perfect Passwords book. In this book I attack much of the conventional wisdom about password policies and present new techniques for building strong passwords. For example, I think that passwords as a technology aren’t obsolete yet, I don’t think that changing a password every 2 months makes it more secure, and you can compensate for almost any other policy by increasing the length of your password.More about the book here