CIFS Minimum Password Length Policy Allows Password Brute Forcing

Description:

The minimum password length on the CIFS/Samba server is too low. This is a security risk. If the account policy does not enforce a reasonable minimum password length, an attacker will stand a much better chance of guessing or brute forcing users' passwords. Enforcing a higher minimum password length will limit the effectiveness of any brute forcing attempts.

The default password length is typically set to 0, which allows empty passwords. Most policies recommend setting the minimum to 6 or more characters.

Solution:

Microsoft Windows Vista, Microsoft Windows Vista Home, Basic Edition, Microsoft Windows Vista Home, Basic N Edition, Microsoft Windows Vista Home, Premium Edition, Microsoft Windows Vista Ultimate Edition, Microsoft Windows Vista Enterprise Edition, Microsoft Windows Vista Business Edition, Microsoft Windows Vista Business N Edition, Microsoft Windows Vista Starter Edition, Microsoft Windows Server 2008, Microsoft Windows Server 2008, Standard Edition, Microsoft Windows Server 2008, Enterprise Edition, Microsoft Windows Server 2008, Datacenter Edition, Microsoft Windows Server 2008, HPC Edition, Microsoft Windows Server 2008, Web Edition, Microsoft Windows Server 2008, Storage Edition, Microsoft Windows Small Business Server 2008, Microsoft Windows Essential Business Server 2008

Set the minimum password length

1. Open the Windows Control Panel.
   
2. Select "Administrative Tools"
3. To change the domain-wide lockout policy, select "Domain Security Policy" (or "Domain Controller Security Policy" if the computer is a Domain Controller). Otherwise, to change the policy for this computer only, select "Local Security Policy."
4. Expand the "Account Policies" folder and select "Password Policy".
5. Set the Minimum Password Length. This setting enforces a minimum length for new or changed passwords. A value of 6 or higher is recommended.
6. Note that this policy does not affect existing passwords. It will only take effect when an existing user changes his password.
   

Microsoft Windows XP, Microsoft Windows XP Home, Microsoft Windows XP Professional, Microsoft Windows Server 2003, Microsoft Windows Server 2003, Standard Edition, Microsoft Windows Server 2003, Enterprise Edition, Microsoft Windows Server 2003, Datacenter Edition, Microsoft Windows Server 2003, Web Edition, Microsoft Windows Small Business Server 2003

Set the minimum password length

1. Open the "Performance and Maintenance" control panel.
2. Select "Administrative Tools".
3. To change the domain-wide lockout policy, select "Domain Security Policy" (or "Domain Controller Security Policy" if the computer is a Domain Controller). Otherwise, to change the policy for this computer only, select "Local Security Policy."
4. Expand the "Account Policies" folder and select "Password Policy".
5. Set the Minimum Password Length. This setting enforces a minimum length for new or changed passwords. A value of 6 or higher is recommended.
6. Note that this policy does not affect existing passwords. It will only take effect when an existing user changes his password.
   

Microsoft Windows 2000, Microsoft Windows 2000 Professional, Microsoft Windows 2000 Server, Microsoft Windows 2000 Advanced Server, Microsoft Windows 2000 Datacenter Server

Set the minimum password length

1. Open the "Administrative Tools" control panel.
   
2. To change the domain-wide lockout policy, select "Domain Security Policy" (or "Domain Controller Security Policy" if the computer is a Domain Controller). Otherwise, to change the policy for this computer only, select "Local Security Policy."
3. Expand the "Account Policies" folder and select "Password Policy".
4. Set the Minimum Password Length. This setting enforces a minimum length for new or changed passwords. A value of 6 or higher is recommended.
5. Note that this policy does not affect existing passwords. It will only take effect when an existing user changes his password.
   

Microsoft Windows NT, Microsoft Windows NT Workstation, Microsoft Windows NT Server, Microsoft Windows NT Advanced Server, Microsoft Windows NT Server, Enterprise Edition, Microsoft Windows NT Server, Terminal Server Edition

Set the minimum password length

1. Click on the "Start" button from the Task Bar
   
2. Select "Programs"
3. Select "Administrative Tools"
4. To change the domain-wide lockout policy, select "User Manager for Domains". Otherwise, to change the policy for this computer only, select "User Manager".
5. From the "Policies" menu, select "Account..."
6. Set the Minimum Password Length. This setting enforces a minimum length for new or changed passwords. A value of 6 or higher is recommended.
7. Note that this policy does not affect existing passwords. It will only take effect when an existing user changes his password.
   

IBM OS/400
Set the minimum password length

OS/400 V4R2 and later include a feature called NetServer which provides Windows compatibile file and printer sharing. Early versions of NetServer relied on the underlying OS/400 user authentication system. However, starting with V5R1 and V5R2, NetServer can be integrated into your Windows Domain or Active Directory via Kerberos, NetBIOS, or LDAP. This integration allows the NetServer to inherit the domain's account lockout policies. Refer to the NetServer documentation for more information.

Samba
Set the minimum password length

The Samba server uses the host operating system's authentication mechanism to control access. If you want to integrate Samba into your NT4 domain or Win2k Active Directory, you can use Samba 2.2.2 or later with winbind to achieve "single sign-on". However, integrating Samba with LDAP/Kerberos/Active Directory is not a trivial task and should only be undertaken with caution.

Information on these pages is summary information extracted from the NeXpose Vulnerabilty Assessment system. Full details are provided within the NeXpose product for licensed users.