Hi Joe, Point well taken, I hope I did not convey anything negative. You and Brian are one of the most technical people that I have interacted with on this list, and I have nothing but respect for each of you. Thank you for your clarification.
Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org --------------------------------------------------------------------------- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Friday, November 04, 2005 1:26 PM To: [email protected] Cc: '# Jose Medeiros-IBM (E-mail)' Subject: RE: [ActiveDir] Reset Domain Admin Password in Windows Server 2003 AD I don't think myself nor Brian were talking about what you posted here. I think the comments were about whomever posted that to the internet in step by baby-step instructions. For people that have to do those procedures, you would expect that the concept of what needs to be done should be enough. I know several people were not thrilled about this stuff being published to the web because I received several offline communications about it and how serious it was. To answer the questions, if you are in a position to install software on a domain controller, it is dead serious. This is why you don't let people get in that position. You may fully trust them but not trust them enough to be a Domain Admin [1] so you just want to give them the ability to add/remove software or services or modify the services or system files (hot fixes/SPs/oh and hacks) that are there, that is perfectly safe right?? They aren't a full domain admin, what harm could they do? I would argue that posting step by step instructions does more to help people who shouldn't be doing it than people who should protect against it. I understand where Al was coming from that it serves to help people understand why they shouldn't grant access like that to others but I expect the odds are most people admining systems that aren't looking to break in probably aren't going to look at it and read it and respond to it. I don't think someone should need to understand the technical details of something bad in order to avoid doing it. Do you have to understand how radiation will kill you if abuse it? No, but people think, I don't need to understand it, I know it is bad. The question is how do you get admins to understand that. Possibly it is simply dumb luck that more people aren't in a position to be around nasty radiation sources and they really do need to understand how it works to avoid it. On the flip side, someone looking for a way to compromise other machines now has more info on how to pull it off. It may even get them thinking about aspects of the "attack" and how they work and how those can be used in other ways to do other worse things. I expect someone in that position is generally looking at documentation like this far closer than someone who isn't. By a show of hands, how many people didn't know about this mechanism for attacking Windows machines? Also by a show of hands, how many people are rushing out to change how security is done in their environment if they are susceptable to this. I expect the first set of hands was maybe 80% of the list though maybe lower because there are a lot of bright old timers on this list. I expect though that the second set of hands is much smaller and maybe even zero. Have you yourself Jose looked at what you do for security in your site or any customers you have worked with and now see a new compromise capability and a way to protect against it and working through the weekend to correct? I expect not. The last sentence in your post is paraphrasing something I say on this list and other lists and newsgroups often. You said, "One should not have a false sense of security just because one lacks the knowledge of how to do such things.". What I usually say is "just because you don't know how to crack something doesn't mean it can't be cracked.". I have seen security "pros" who seem to think they know all of the ways of cracking things and know how to guard against them or recognize how they are done, that trait makes them worthless in security though they make a good encyclopedia. A true security pro in my opinion is someone who knows nothing can truly be guaranteed safe and you can only prove something unsafe, never safe. They are also extremely paranoid. Security is about mitigating risk, not removing it entirely, you can't entirely remove risk entirely without the system being unusable by anyone. As a funny aside, I have dealt with a couple of different sets of people who were trying to break into ADAM instances in say the last 9 months. Usally I ask them a few quick questions and then just tell them they aren't going to do it, have a nice day. Most recently was someone who is pretty good and the person didn't have the normal easy ways of getting in. It was rather fun seeing the thought process in action (and actually thinking myself on the possible vectors that I hadn't thought of before) in how to compromise the system. Overall I have to say that I am pretty happy with ADAM from a security standpoint. In a secure configuration where no one knows the ID or no one has access to impact the password of the external account(s) that has/have admin rights inside of ADAM I only see one effective mechanism of attack for information modification/disclosure[2]. It is quite fun to me. I expect a lot of people to burn themselves pretty hard when they don't have some "get out of jail free" card to present when they dork it up. Too many Windows admins rely on those cards for fixing things that in a seriously secure environment they shouldn't be able to fix. Possibly someone needs to write a tool that goes in and takes advantage of the one vector I can think of but the tool requires you to enter responses that can't be scripted for like an hour or something like that so that it could never be used in an automated attack but will get the people out of jail that made that silly mistake. joe [1] See how stupid that sounds? [2] There are several DOS attacks but those are very hard to protect against. But I would much rather a system be knocked down versus being suspect or having its confidential data disclosed. -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, November 04, 2005 2:10 PM To: [email protected] Cc: # Jose Medeiros-IBM (E-mail) Subject: RE: [ActiveDir] Reset Domain Admin Password in Windows Server 2003 AD Hi Joe, That's one way to look at it that other way to look at it is that this information is freely available on the internet. I am not posting anything new. This is just more reason for some one to lock up the Domain Controllers in a room rather then leave them out in the open. Many companies that have remote offices and have there DC's out in the open need to re-evaluate their security policies as well as make frequent audits of there Domain Admins, Enterprise Admin's and local admin groups. I am also not trying to say that Microsoft is any less secure then other products, one can get into Linux, Macintosh and Solaris Operating Systems just as easily if they have physical access to the system and can boot from a CD, USB device or Floppy. One should not have a false sense of security just because one lacks the knowledge of how to do such things. Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL MCP+I, MCSE, NT4 MCT www.ntea.net www.tvnug.org www.sfntug.org ---------------------------------------------------------------------------- --------------------- -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of joe Sent: Friday, November 04, 2005 10:26 AM To: [email protected] Subject: RE: [ActiveDir] Reset Domain Admin Password in Windows Server 2003 AD It falls back to the idea of should people post information that can be used to compromise someone else's machine. These mechanisms are all fine an dandy if you are trying to break into your own system, but normally, it is to break into someone else's system. It is hopefully a rare case where an admin is so light between the ears that they forget their admin passwords. Hell I get touchy with admins who lock themselves out even. Admins are supposed to be accomplished and careful. Anyway, it is usually bad taste to post a mechanism to crack into a system that can't be countered. If everyone simply posted what they knew about cracking systems there would be a lot of people in a very bad ways as that info got around to folks who like to take advantage of stuff. Those people aren't usually the ones bright enough to find all of the exploits in the first place, they use what is published. Imagine viruses/worms that target domains and forests instead of workstations. How many people truly have their environment secured in such a way that they would be relatively safe. If not in that group how many people have their environment monitored in such a way that they would catch bad things very quickly (though quick is relative, I have written POC tools that can take out your forest in less than a couple of seconds barring too much network latency). If not in those groups, how many people have their environment so they could quickly put it back together. Say a massive forest attacking worm/virus breaks out, it takes down say a State of Michigan or Department of Homeland Security... How much impact does that have? What if it reaches Code Red proportions? joe From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, November 04, 2005 1:04 PM To: [email protected] Subject: RE: [ActiveDir] Reset Domain Admin Password in Windows Server 2003 AD Why not? Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Brian Desmond Sent: Friday, November 04, 2005 9:48 AM To: [email protected] Subject: RE: [ActiveDir] Reset Domain Admin Password in Windows Server 2003 AD He shouldn't have posted that. Thanks, Brian Desmond [EMAIL PROTECTED] c - 312.731.3132 From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Medeiros, Jose Sent: Friday, November 04, 2005 12:28 PM To: [email protected] Cc: [EMAIL PROTECTED] Subject: [ActiveDir] Reset Domain Admin Password in Windows Server 2003 AD Has any one ever tried this? Sincerely, Jose Medeiros ADP | National Account Services ProBusiness Division | Information Services 925.737.7967 | 408-449-6621 CELL Forgot the Administrator's Password? - Reset Domain Admin Password in Windows Server 2003 AD. Featured Product: Windows XP/2000/NT Key - Easy to use utility to reset Windows 2003/XP/2K/NT local and domain controller administrator passwords. Download FREE version now! Note: In order to successfully use this trick you must first use one of the password resetting tools available on the Forgot the Administrator's Password? page. The reason for that is that you need to have the local administrator's password in order to perform the following tip, and if you don't have it, then the only method of resetting it is by using the above tool. Read more about that on the Forgot the Administrator's Password? page. Update: You can also discuss these topics on the dedicated Forgot Admin Password - Related Discussions forum. Lamer note: This procedure is NOT designed for Windows XP since Windows XP is NOT a domain controller. Also, for a Windows 2000 version of this article you should read the Forgot the Administrator's Password? - Change Domain Admin Password in Windows 2000 AD page. Reader Sebastien Francois added his own personal note regarding the changing of Domain Admin passwords on Windows Server 2003 Active Directory domains (HERE). I will quote parts of it (thanks Seb!): Requirements 1. Local access to the Domain Controller (DC). 2. The Local Administrator password. 3. Two tools provided by Microsoft in their Resource Kit: SRVANY and INSTSRV. Download them from HERE (24kb). Step 1 Restart Windows 2003 in Directory Service Restore Mode. Note: At startup, press F8 and choose Directory Service Restore Mode. It disables Active Directory. When the login screen appears, log on as Local Administrator. You now have full access to the computer resources, but you cannot make any changes to Active Directory. Step 2 You are now going to install SRVANY. This utility can virtually run any programs as a service. The interesting point is that the program will have SYSTEM privileges (LSA) (as it inherits the SRVANY security descriptor), i.e. it will have full access on the system. That is more than enough to reset a Domain Admin password. You will configure SRVANY to start the command prompt (which will run the 'net user' command). Copy SRVANY and INSTSRV to a temporary folder, mine is called D:\temp. Copy cmd.exe to this folder too (cmd.exe is the command prompt, usually located at %WINDIR%\System32). Start a command prompt, point to d:\temp (or whatever you call it), and type: <span style='font-size:10.0pt;font-family:Verdana'>instsrv PassRecovery "d:\temp\srvany.exe"</span> (change the path to suit your own). It is now time to configure SRVANY. Start Regedit, and navigate to <span style='font-size:10.0pt;font-family: Verdana'>HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\PassRecovery</ span> Create a new subkey called Parameters and add two new values: <span style='font-size:10.0pt;font-family: Verdana'>name: Application type: REG_SZ (string) value: d:\temp\cmd.exe name: AppParameters type: REG_SZ (string) value: /k net user administrator 123456 /domain<br> Replace 123456 with the password you want. Keep in my mind that the default domain policy require complex passwords (including digits, respecting a minimal length etc) so unless you've changed the default domain policy use a complex password such as [EMAIL PROTECTED] Now open the Services applet (Control Panel\Administrative Tools\Services) and open the PassRecovery property tab. Check the starting mode is set to Automatic. Go to the Log On tab and enable the option Allow service to interact with the desktop. Restart Windows normally, SRVANY will run the NET USER command and reset the domain admin password. Step 3 Log on with the Administrator's account and the password you've set in step #2. Use this command prompt to uninstall SRVANY (do not forget to do it!) by typing: <span style='font-size:10.0pt;font-family: Verdana'>net stop PassRecovery sc delete PassRecovery</span> Now delete d:\temp and change the admin password if you fancy. Done! Supplement Robert Strom has written a cool script that will completely automate this process. He wrote: "My script is really just an automation of his process which performs all the post cleanup of itself. Launch one script and it's all done. No manual registry entries, the service is created, the service settings are all imported into the registry, etc." Download it from HERE (186kb). Note that you still need physical access to the DC and the ability to log on locally as the local administrator. If you do not have the local administrator's password use the following tip: Forgot the Administrator's Password?. Thanks Robert! Acknowledgments This tip was compiled and written with the help of Antid0t, Robert Strom and Sebastien Francois. Thank you all! Links How to reset the Domain Admin Password under Windows 2003 Server Original post by Antid0t and Robert Strom on the MCSEworld forums Related articles You may find these related articles of interest to you: . Change Recovery Console Password . Change User Password from a Remote Computer . Change User Password from the Command Prompt . Forgot the Administrator's Password? . Forgot the Administrator's Password? - Alternate Logon Trick . Forgot the Administrator's Password? - Reset Domain Admin Password in Windows 2000 AD . Recover Protected Office Documents . What's the Password Reset Disk in Windows XP? New: . You can also discuss these topics on the dedicated Forgot Admin Password - Related Discussions forum. up back List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
