Brute-Force and Dictionary Password Attacks
2008-01-26 Initial Post
From what I’ve been able to determine, these types of attacks are very difficult against an account database such as Active Directory. Here are my thoughts on this:
1.) A remotely mounted attack can be easily thwarted if AD has account lockout enabled. If the lockout threshold is three invalid attempts and the lockout duration is 30 minutes, an attacker would have three chances every 30 minutes. At that rate, even using the most powerful supercomputer in the world today would be fruitless. Also, if logging is enabled, a sys admin would be able to spot the lockouts and investigate.
A note on the account lockout threshold: Make it a high number so users don’t get locked out easily. Use a number such as ten. That number is low enough to thwart an attacker, but high enough to give must users a valid chance to logon. If a user tries ten times and fails, then that’s something you want your help desk to be aware of.
2.) An attacker can try to remotely make a copy of the password database/file. But doing so requires administrator-level access since the locations of the files are usually locked down so that only administrators can access them. The location of the AD database, ntds.dit in C:\WINDOWS\NTDS\, is locked down to only Administrators and system accounts. Likewise for the local accounts database, SAM, in C:\WINDOWS\system32\config\. Also, these files are locked by the OS during normal operation, so you can't even make a copy of them.
If the attacker has an admin-level backdoor or has stolen admin credentials, that opens up a whole bunch of other issues to worry about other than the security of the aforementioned files. Once an attacker has a copy of the files, it makes a brute force or dictionary attack much easier.
3.) If multi-factor authentication is used, then cracking a password wouldn’t completely compromise a system.
4.) Attacks on the passwords of files, such as secure PDF and ZIP files, is another issue. Since those files normally don’t have any type of invalid password lockout feature, it’s much easier to mount an attack on them.
5.) Good physical access control will prevent an attacker from gaining access to a system and booting it up in offline mode (with BartPE and the like) and making a copy of the aforementioned files. You should also consider encrypting the drives of AD DCs so that they can’t be accessed offline.