Mutum, kamar yadda ka sani, malalaci ne.
Kuma ma fiye da haka idan ana batun zabar kalmar sirri mai ƙarfi.
Ina tsammanin kowane mai gudanarwa ya taɓa fuskantar matsalar amfani da haske da madaidaitan kalmomin shiga. Wannan al'amari yakan faru ne a tsakanin manyan matakan gudanarwa na kamfani. Ee, i, daidai a cikin waɗanda ke da damar samun bayanan sirri ko na kasuwanci kuma zai zama ba a so a kawar da sakamakon leaks/hacking na kalmar sirri da ƙarin aukuwa.
A cikin aikina, akwai wani lamari lokacin, a cikin wani yanki na Active Directory tare da manufar kalmar sirri, masu lissafin kudi da kansu sun zo kan ra'ayin cewa kalmar sirri kamar "Pas$w0rd1234" ta dace da bukatun manufofin daidai. Sakamakon haka shine yawaitar amfani da wannan kalmar sirri a ko'ina. Wani lokaci ya bambanta kawai a cikin saitin lambobi.
Ina matukar son samun damar ba kawai kunna manufar kalmar sirri da ayyana saitin haruffa ba, amma kuma tace ta ƙamus. Don ware yiwuwar amfani da irin waɗannan kalmomin shiga.
Microsoft yana sanar da mu ta hanyar haɗin yanar gizon cewa duk wanda ya san yadda ake riƙe na'ura mai haɗawa, IDE daidai a hannunsa kuma ya san yadda ake furta C++ daidai, zai iya tattara ɗakin karatu da suke buƙata tare da amfani da shi bisa ga fahimtarsa. Bawanka mai tawali'u ba shi da ikon yin hakan, don haka sai na nemi mafita da aka shirya.
Bayan dogon lokaci na bincike, zaɓuɓɓuka biyu don magance matsalar sun bayyana. Ina, ba shakka, magana game da OpenSource mafita. Bayan haka, akwai zaɓuɓɓukan biyan kuɗi - daga farko zuwa ƙarshe.
Zabin #1.
Ba a yi wani alkawari ba kusan shekaru 2 yanzu. Mai sakawa na asali yana aiki kowane lokaci, dole ne ku gyara shi da hannu. Ƙirƙirar sabis na daban. Lokacin sabunta fayil ɗin kalmar sirri, DLL ba ta ɗaukar abubuwan da aka canza ta atomatik; kuna buƙatar dakatar da sabis ɗin, jira ɗan lokaci, gyara fayil ɗin, sannan fara sabis ɗin.
Babu kankara!
Zabin #2.
Aikin yana aiki, mai rai kuma babu buƙatar ko da kullun jikin sanyi.
Shigar da tace ya ƙunshi kwafin fayiloli biyu da ƙirƙirar shigarwar rajista da yawa. Fayil ɗin kalmar sirri ba ya cikin kulle, wato, yana samuwa don gyarawa kuma, bisa ga ra'ayin marubucin aikin, kawai ana karanta shi sau ɗaya a minti daya. Hakanan, ta amfani da ƙarin shigarwar rajista, zaku iya ƙara daidaita duka tacewa kanta har ma da nuances na manufofin kalmar sirri.
Saboda haka
An bayar: Active Directory domain test.local
Wurin gwajin gwaji na Windows 8.1 (ba mahimmanci ga dalilin matsalar ba)
kalmar sirri tace PassFiltEx
- Zazzage sabon saki daga mahaɗin
- Kwafi PassFiltEx.dll в C: WindowsSystem32 (ko %SystemRoot%System32).
Kwafi PassFiltExBlacklist.txt в C: WindowsSystem32 (ko %SystemRoot%System32). Idan ya cancanta, muna ƙara shi da samfuran namu
- Gyara reshen rajista: HKLMSYSTEMCurrentControlSetControlLsa => Fakitin Sanarwa
.Ara PassFiltEx zuwa karshen lissafin. (Ba ya buƙatar a ƙayyade tsawo.) Cikakken jerin fakitin da aka yi amfani da su don dubawa zai yi kama da wannan "rassfm scecli PassFiltEx".
- Sake kunna mai sarrafa yanki.
- Muna maimaita hanyar da ke sama don duk masu kula da yanki.
Hakanan zaka iya ƙara shigarwar rajista masu zuwa, wanda ke ba ku ƙarin sassauci cikin amfani da wannan tacewa:
Babi: HKLMSOFTWAREPassFiltEx - ana ƙirƙira ta atomatik.
- HKLMSOFTWAREPassFiltExBlacklistFileSunan, REG_SZ, Default: PassFiltExBlacklist.txt
BlacklistFile Suna - ba ka damar saka hanyar al'ada zuwa fayil tare da samfuran kalmar sirri. Idan wannan shigarwar rajista ba ta da komai ko babu, to ana amfani da hanyar da ta dace, wacce ita ce - %SystemRoot%System32. Hakanan zaka iya ƙayyade hanyar hanyar sadarwa, AMMA kana buƙatar tuna cewa fayil ɗin samfuri dole ne ya sami cikakkun izini don karantawa, rubutawa, sharewa, canzawa.
- HKLMSOFTWAREPassFiltExTokenParcentageOfPassword, REG_DWORD, Tsohuwar: 60
TokenPercentageOfPassword - yana ba ku damar tantance adadin abin rufe fuska a cikin sabuwar kalmar sirri. Matsakaicin ƙima shine 60%. Misali, idan yawan abin da ya faru shine 60 kuma kirtani starwars yana cikin fayil ɗin samfuri, to kalmar sirri Starwars1! za a ƙi yayin da kalmar sirri starwars1!DarthVader88 za a karɓa saboda yawan kirtani a cikin kalmar sirri bai wuce 60%
- HKLMSOFTWAREPassFiltExRequestCharclasses, REG_DWORD, Tsohuwar: 0
Ana Bukatar Darajoji - yana ba ku damar faɗaɗa buƙatun kalmar sirri idan aka kwatanta da daidaitattun buƙatun sarkar kalmar sirri ActiveDirectory. Bukatun hadaddun da aka gina a ciki suna buƙatar 3 daga cikin 5 masu yuwuwar nau'ikan haruffa daban-daban: Babban Babba, Ƙananan Harka, Lambobi, Musamman, da Unicode. Amfani da wannan shigarwar rajista, zaku iya saita buƙatun sarkar kalmar sirrinku. Ƙimar da za a iya ƙididdigewa shine saitin bits, kowannensu yana da madaidaicin iko na biyu.
Wato - 1 = ƙananan haruffa, 2 = babba, 4 = lambobi, 8 = haruffa na musamman, da 16 = haruffan Unicode.
Don haka tare da ƙimar 7 buƙatun zai zama "Upper Case" KUMA ƙarami KUMA lambobi", kuma tare da darajar 31 - "Upper case KUMA ƙarami KUMA lambar KUMA alama ta musamman KUMA Halin Unicode."
Hakanan zaka iya haɗawa - 19 = “Babban harka KUMA ƙarami KUMA Halin Unicode." -
Yawan dokoki lokacin ƙirƙirar fayil ɗin samfuri:
- Samfura ba su da hankali. Don haka, shigar da fayil ɗin masu hanawa и StarWarS za a ƙaddara ya zama daidai darajar.
- Ana sake karanta fayil ɗin baƙar fata a kowane sakan 60, don haka zaka iya gyara shi cikin sauƙi; bayan minti ɗaya, za a yi amfani da sabon bayanan ta hanyar tacewa.
- A halin yanzu babu tallafin Unicode don daidaita tsarin. Wato, zaku iya amfani da haruffan Unicode a cikin kalmomin shiga, amma tacewa ba zai yi aiki ba. Wannan ba mahimmanci ba ne, saboda ban ga masu amfani da ke amfani da kalmomin shiga Unicode ba.
- Yana da kyau kar a ba da izinin layin komai a cikin fayil ɗin samfuri. A cikin kuskuren za ku iya ganin kuskure lokacin loda bayanai daga fayil. Tace tana aiki, amma me yasa ƙarin keɓantawa?
Don gyara kurakurai, ma'ajin yana ƙunshe da fayilolin batch waɗanda ke ba ku damar ƙirƙira log sannan ku rarraba ta ta amfani da, misali,
Wannan matattarar kalmar sirri tana amfani da Binciken Bidiyo don Windows.
Mai bada ETW don wannan tace kalmar sirri shine 07d83223-7594-4852-babc-784803fdf6c5. Don haka, alal misali, zaku iya saita gano abubuwan da suka faru bayan sake kunnawa mai zuwa:
logman create trace autosessionPassFiltEx -o %SystemRoot%DebugPassFiltEx.etl -p "{07d83223-7594-4852-babc-784803fdf6c5}" 0xFFFFFFFF -ets
Za a fara ganowa bayan sake kunna tsarin na gaba. Don tsayawa:
logman stop PassFiltEx -ets && logman delete autosessionPassFiltEx -ets
Duk waɗannan umarni an ƙayyade su a cikin rubutun FaraTracingAtBoot.cmd и Dakatar daTracingAtBoot.cmd.
Don duba aikin tacewa na lokaci ɗaya, zaka iya amfani FaraTracing.cmd и TsaidaTracing.cmd.
Domin samun dacewa karanta fitar da bugu na wannan tace a ciki Microsoft Analyzer Ana ba da shawarar yin amfani da saitunan masu zuwa:
Lokacin dakatar da shiga da tantancewa Microsoft Analyzer komai yayi kama da haka:
Anan za ku ga cewa an yi ƙoƙarin saita kalmar sirri don mai amfani - kalmar sihiri ta gaya mana wannan SET a debug. Kuma an ƙi kalmar sirri saboda kasancewar sa a cikin fayil ɗin samfuri kuma fiye da 30% daidai a cikin rubutun da aka shigar.
Idan an yi nasarar ƙoƙarin canza kalmar sirri, muna ganin masu zuwa:
Akwai wasu rashin jin daɗi ga mai amfani na ƙarshe. Lokacin da kake ƙoƙarin canza kalmar sirri da ke cikin jerin fayil ɗin samfuri, saƙon da ke kan allon bai bambanta da daidaitaccen saƙon ba lokacin da tsarin kalmar sirri ba ta wuce ba.
Saboda haka, a shirya don kira da ihu: "Na shigar da kalmar wucewa daidai, amma ba ta aiki."
Sakamakon.
Wannan ɗakin karatu yana ba ku damar hana amfani da sauƙi ko daidaitattun kalmomin shiga a cikin yankin Active Directory. Mu ce "A'a!" kalmomin shiga kamar: "P@ssw0rd", "Qwerty123", "ADm1n098".
Ee, ba shakka, masu amfani za su fi son ku don kula da irin wannan tsaron lafiyarsu da buƙatun fito da kalmomin shiga masu jan hankali. Kuma, watakila, adadin kira da buƙatun neman taimako da kalmar wucewa za su ƙaru. Amma tsaro ya zo da tsada.
Hanyoyin haɗi zuwa albarkatun da aka yi amfani da su:
Labarin Microsoft game da ɗakin karatu na tace kalmar sirri ta al'ada:
PassFiltEx:
hanyar haɗin yanar gizo:
Jerin kalmomin shiga:
DanielMiessler ya lissafa:
Jerin kalmomi daga weakpass.com:
Jerin kalmomi daga berzerk0 repo:
Analyzer Saƙon Microsoft:
source: www.habr.com