Monday, May 18, 2009

Episode #37: Show Account Security Settings

Ed engages:

Yesterday, I was doing a presentation for a bunch of auditors, and a nice question came up from the attendees: "How can I quickly see the local account security settings on a Windows box from the command line?" When I gave the answer, I saw a lot of people's eyes light up. Of course, whenever an auditor's eyes start to flicker, we should all watch out. :)

Seriously, though... the vast majority of the people in the room quickly wrote down a note with my answer, so I figured it would make a good episode here.

On Windows, you can see overall security settings for all accounts on the box using the command:

C:\> net accounts
Force user logoff how long after time expires?: Never
Minimum password age (days): 0
Maximum password age (days): 42
Minimum password length: 0
Length of password history maintained: None
Lockout threshold: Never
Lockout duration (minutes): 30
Lockout observation window (minutes): 30
Computer role: WORKSTATION
The command completed successfully.

A simple little command like that shows really useful information, for auditors, pen testers, general security personnel... great stuff. We've got password aging information, minimum password length, password history (so users can't just reset their password to an older one they used to have), the threshold of bad logon attempts for account lockout, the time duration of account lockout, and the amount of time before a locked out account is re-activated.

The output I show above is the default settings for most versions of Windows, including Win2K, WinXP, and Vista (Yup... minimum password lenght of 0 by default!). On Win2k3, the only difference is that the "Computer role:" says SERVER.

Another nifty related command is:

C:\> net accounts /domain

You can run this on any system that is a member of the domain, and it'll show you the domain-wide settings for accounts.

Pretty cool, and all in one place.

So, what've you got for us on Linux, big guy?

Hal reports in:

I'm sure you all are getting fairly tired of this, but I have to give my usual disclaimers:

1) Different Unix systems handle password security settings in different ways, so we're just going to focus on Linux

2) The answer is different if you're working with a network-based authentication database like LDAP or Kerberos, but for purposes of this article we're just going to stick to local password files

With those disclaimers in mind, the basic answer is simple:

# chage -l hal
Last password change : Jul 14, 2007
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7

The "chage" command can be used to get (and set) basic password security parameters for accounts on your Linux system (other Unix variants often use the "passwd" command for this). This is actual output from one of my test systems and shows you the standard Linux defaults for these parameters, which are obviously not terribly secure. You may change the defaults by modifying the /etc/login.defs file, but be aware that the defaults you set in login.defs will only apply to new accounts that you create with the built-in "useradd" program that comes with Linux. If you use some other scheme for creating accounts, then you'll have to use the "chage" command to manually set these values after you create each account.

If you compare the "chage" output with the output of Ed's "net accounts" command, you'll notice that "chage" doesn't have anything to say about password history settings or "lockout on failure" parameters. That's because this level of password security is a property of the lower-level PAM configuration on most Unix systems. On Linux, the pam_cracklib and pam_unix modules take care of password history and strong password enforcement, while pam_tally is responsible for "lockout on failure". Unfortunately there's no way to audit the settings for these modules other than to look at the actual PAM configuration files, usually found in /etc/pam.d.