Protect/prevent Unix passwd/shadow and Windows SAM from being copied out
There's a discussion internally within our corporate if it's a concern that an internal staff attempts to copy out
SAM & passwd and then run a password cracking tool on it.
Q1:
Is this a valid concern?
Q2:
In DoD B2 (or is it C2), the file containing hashed passwd 'vanishes' : is the purpose to prevent someone from
copying out the hashes for cracking? Or what's the purpose of doing this?
Q3:
What are the measures we can put in place to prevent internal staff from making cracking attempts on SAM
& a Unix file containing the hashed passwords? Should stronger hash (what's the current best practice?) or
encryption be used?
EncryptionOS SecuritySecurityUnix OS
Last Comment
tfewster
8/22/2022 - Mon
sunhux
ASKER
We thought of enabling Auditing of these files but these files are being accessed frequently to authenticate users.
Is there any way of auditing/logging it so that we only capture the genuine attempts to copy out these files ?
It;s late, but I'll add my 2c
Q1: Not really. If someone has access to the hashed password file, they already have Admin/root access, at least temporarily. There are better things to worry about - logging and auditing, for example.
Q3: SHA256 + salting is easy to implement and, in my opinion, makes the hashes pretty much immune to cracking or rainbow tables.
Look at the real Risk to the company first - i.e. how likely is (something) to happen, and what would be the impact?
Is there any way of auditing/logging it so that we only capture the genuine attempts to copy out these files ?