|
Sorry, but except for a backup during a
migration or the like, of what use is a DC if it's not running? ;)
I had an NT4.0 domain with SYSKEY enabled. When our network security
folks needed to test accounts for password strength using l0phtcrack we had to use
rdisk to provide them a copy of the unencrypted sam that they could then run
l0phtcrack against. That led me to believe that just because the DC is
running, the sam isn't automatically decrypted. I'm not saying that encrypting the
sam isn't a good idea. I'm saying that it isn't the end
all be all of security. As you said, Guido, reboot to an alternate OS
like Nordahl's disk does. Or string together one of the myriad of
vulnerabilities of the Windows platform to gain access to an admin session or
use an elevated privileges attack from a client and then use rdisk remotely in
an NT 4.0 environment, take the unencrypted sam offline and crack it at will
and come back in with a legitimate account. Heck, if it's an NT4.0
environment, Exchange 5.5 is probably used and Exchange is nice enough to cache
the Exchange Service account and password unencrypted in the registry of
systems with the Exchange Console installed. And if anyone doubts either,
I had a white hat team do both to me. I think everyone realizes that security
now a days isn't a case of keeping someone determined out indefinitely,
but out long enough to find out they are there and catch/stop them. Dave ------------------------------------------------ From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Grillenmeier, Guido <Just make a recovery disk with the
/r (I believe) option would export a readable copy of the sam> that's only valid when the machine is running
(and thus the SAM is decrypted) and you already have admin access to it.
In the case of "only" having physical access but no account, you'd
not have this option and thus you'd reboot the machine to startup another OS or
do something similar to get at the SAM - in this case it would be still be
encrypted with the locally stored key. Storing that key offline would add
your extra protection with all the hassles involved with mgmt of that offline
key and handling the boot-process. For companies with very high security
requirements that still need to put DCs in "unsafe" locations for
various reasons, storing the key offline may be a valid option to further
secure the DC (or any other server as a matter of fact). If you have the right
server-HW, you should be able to create disk-images for each machine
containing that key and if the server has something linke an ILO board you can
remotely mount that image during boot-time. Still a lot of stuff to
manage, but all possible remotely. /Guido From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr
InDyne/Enterprise IT Even with SYSKEY enabled on a NT DC the
sam can still be cracked with l0phtcrack or the other tools. Just make a
recovery disk with the /r (I believe) option would export a readable copy of
the sam. We would have to do it for our security folks to test password
strength every so often. Honestly, I don't believe it matters
what version of the Windows OS you use. If you have physical access to
the system, you win. Dave ------------------------------------------------ From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geary, Simon (Computer People) I would suggest the
Windows 2003 (and 2000 and XP) SAM is more secure than NT as it is encrypted
with a locally stored key by default. The Syskey process allows you to store
that key on a separate floppy disk, thus adding an extra layer of security. In
the NT SAM, the encryption is not on by default but can be added with Syskey as
an optional extra so I reckon this makes the 2003 SAM more secure. If you have ever used
l0phtcrack on an NT SAM you may be scared at how quickly it can rip through all
your passwords (even if it does require an admin account to run). I accept that one of the
golden rules of security is that if the bad guy has physical access to your
machine it's not your machine any more but a 128bit encryption key will take
some time to crack, giving some breathing space to take action. Especially as
the Syskey password needs at least 12 characters and should contain all sort of
numbers, letters, squiggles and hieroglyphics. The rainbow tables needed to
crack that would probably be many terabytes in size. Having said all that, I
wouldn't bother using Syskey on my DCs or any other server due to the hassles
you mention. The best idea is just to keep them in a physically secure location
in the first place. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of joe I don't think
I would say that the SAM is more secure than it is with NT. The issue of
being hacked is still there and still fairly trivial. The syskey can maybe
help depending on the tools used to crack the server and whether it is an
attempt to brute force passwords (or Rainbow crack) or gain access to the box.
I don't want to get very deep into this but if someone has physical access to
the machine, they can own the machine if they so desire - period. Using a
user generated password or floppy (and not keeping the floppy with the machine)
with SysKey is safer but not tremendously so and again, only for someone trying
to steal the password database. Mostly it just adds considerable heartache
to management since you have to be in front of the machine (or using
some low level IO card to redirect console) to start it. Once the
local SAM is cracked, it is one reboot and one more tool away from the DIT
being cracked. Basically if
my goal is to steal your passwords in a quiet way, syskey will help a
little as it adds another 128 bit encryption piece in front of the hashes. If
my goal is to take over your server or domain or forest, syskey
doesn't hamper that. joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Geary, Simon (Computer People) It's still
possible, but whether or not it will still be necessary with Windows Server
2003 is another question. The default security of the SAM is higher than with
NT. This page gives you the process. http://support.microsoft.com/kb/310105
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Rosales, Mario Is it still necessary to syskey DC's? On NT 4.0
we always did that. Does the same apply for Windows 2003? ***************************************************************************
The contents of
this communication are intended only for the addressee and may contain
confidential and/or privileged material. If you are not the intended recipient,
please do not read, copy, use or disclose this communication and notify the
sender. Opinions, conclusions and other information in this communication that
do not relate to the official business of my company shall be understood as
neither given nor endorsed by it. ***************************************************************************
|
RE: [ActiveDir] Syskey and AD
Perdue David J Contr InDyne/Enterprise IT Wed, 17 Nov 2004 16:15:45 -0800
- RE: [ActiveDir] Syskey and AD Perdue David J Contr InDyne/Enterprise IT
- RE: [ActiveDir] Syskey and ... joe
- [ActiveDir] Forcing SYS... David Adner
- RE: [ActiveDir] Syskey and ... Grillenmeier, Guido
