win 2003: testing if the passwords are STRONG… what would be the best practise ?

Home Forums Server Operating Systems Windows Server 2000 / 2003 / 2003 R2 win 2003: testing if the passwords are STRONG… what would be the best practise ?

Viewing 1 post (of 1 total)
  • Author
  • Avatar

    Hello all,

    I am new to the forum and immediately would like to pop a question…
    I did some searches before posting, so I hope i did not overlook this question if it was asked before !

    Situation : Win 2003 domain controller -active directory (updates,latest service packs)

    This server is online on the public internet with windows remote desktop enabled.
    I was asked to “test” if the passwords are strong as part of a security exercise.
    I have access to the machine.
    There are a number of users with admin rights.
    –> We want to check if their passwords are strong.

    I used to do a similar exercise on linux, where I would copy the password file, (in /etc/ directory) and then run a bruteforce password cracker (e.g. john the ripper) on a seperate machine for a few hours/days. This without interupting service on the main server.

    Now I wonder how to do something similar on win2k3

    Since it is a critical machine, I cannot power down the machine (e.g. and boot from some sort of password recovery software disk), install software like a password cracker (preferably not on this machine itself), or bring the CPU to 100%

    What I would want to do is to copy the “password files” onto another machine, and run a password cracker there.

    I think /winnt/system32/config has the “sam” files containing the hashed passwords ?
    However I cannot copy this file since “file in use”…

    Does anybody know a procedure, or a good way to export the password files and test these (the password strength) on another machine -without disrupting the service on the domain controller.

    Many Thanks,


Viewing 1 post (of 1 total)

You must be logged in to reply to this topic.