Certified Mail: August 2004
Ensuring the strength of your users' passwords; using IE as a workaround for file management; is moving from desktop support to network admin a step up?
Send Mail! E-mail: [email protected]. Snail Mail:
MCP Magazine, c/o Editors, 16261 Laguna Canyon Rd., Ste. 130, Irvine, CA 92618.
I just read Roberta Bragg's July Security Advisor column, "Rainbow Crack—Not a New Street Drug." I've been using a password-cracking tool called John the Ripper to go through the LM password database and test the strength of outside users' passwords.
Too many times we find the enterprise is being secured by someone's dog "snowball" or "bluedragon." I've tried using LDAP tools, but had trouble pulling userPassword out of AD, even with Administrator privileges.
I've always found that the best passwords were phrase-related, picking the first letter of a phrase, and replacing letters with non-alphanumeric characters. "The fox jumped over the lazy brown dog" can become the password "tFJ0+LbD!". It's easier to remember than some random concoction of letters and symbols if it's more meaningful to the end user.
Note that some Web interfaces may balk at the use of non-alphanumeric characters. Additional measures: Close all services over the Internet such as telnet that show a password in the clear and switch to something like SSH.
Implement a VPN for all employee remote access; even on a WLAN this has benefits.
Get an SSL box, like a Netscreen-SA (formerly Neoteris), to make remote access even easier than VPN for brain-dead end users.
Rather than using real passwords, use a token-based RADIUS authentication system (see Safeword Secure Computing or SecurID) so that no one forgets their passwords; the passwords are one-time, so it automatically takes the place of that often-ignored password changing policy.
In Don Jones' June Windows Tip Sheet, "Principle of Least Authority," Don says, "You can't run another instance of Explorer by using RUNAS—I tried, and it doesn't work."
Actually, you can do this: use "runas iexplore c:\" and achieve the same result as running another instance of Explorer in a second context.
Library Technology Specialist
University of the Pacific
Don Jones replies: You're absolutely right, but it took me and some friends at Microsoft almost a week (after I wrote the tip) to realize that IE is the perfect workaround for using RUNAS to perform file management. I don't use IE as my main browser so it just didn't occur to me. Thanks for your tip!
After the Crash
In reference to Bill Boswell's Q&A column, "Slow Win2K Performance After the Crash," when a system hangs on MUP.SYS it is typically related to the ACPI settings.
Many default BIOS settings don't have ACPI enabled. If enabled after the operating system is installed, the system will hang at MUP.SYS. The only choice is to either turn it off or re-install the operating system with it enabled.
By the way, in the past a change from single to multi-processor required a re-install (unless you knew how to change the HAL.DLL). But with Windows XP, one of the only documented changes to a system that requires a complete re-install is the enabling or disabling of ACPI.
Old NT Guys
In the "Editor's Desk" for the June issue of Microsoft Certified Professional Magazine, Dian Schaffhauser refers to "old NT" guys and moving up from help desk and desktop support to a network admin position. I am wondering where the perception comes from that a network admin is better/higher than a desktop support role?
I visit a lot of clients as an external consultant and with some companies I find people who do desktop support earn more money than I do; and many of them never want to be a network admin.
There is desktop support and server/network support; both can be technically very challenging, and with desktop support you need a thicker skin. When something goes wrong, to whom are the users going to complain? Yes, the desktop support people.
Larger projects have front-end and back-end people, and neither is better or higher, they are just the same, except they have different roles and support different kinds of machines. It's true that one has more direct contact with people than the other.
You need different people for different roles; it's not about just growing from desktop support to network administration.
Sr. Consultant RES-Q Services
I just finished reading the editorial, "Old NT Guy." It seems like my life story. I would like to add to the last sentence, "Get back in line for a new ride." That next one may be bumpier than the one before but you can proudly claim, "been there, done that, no biggie."
Fiscal Research Center
Andrew Young School of Policy Studies
Georgia State University
Have a question or comment about an article or letter that appeared in MCP Magazine?