Re: Controls to compensate for physical access to client machines
From: pennym (news_at_pennym.removethis.plus.com.invalid)
Date: 05/14/04
- Next message: Matt Clapham [MSFT]: "Re: Folder Rights"
- Previous message: Bill Sanderson: "Re: No Win98se Critical Updates since"
- In reply to: paulroper: "Controls to compensate for physical access to client machines"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 14 May 2004 00:20:08 +0100
Paul,
SYSKEY on NT potentially doesn't help much. A Linux Bootdisk with the
'chntpw' utility could circumvent even Syskey. See:
http://home.eunet.no/~pnordahl/ntpasswd/ for more info.
A CD based Linux distribution such as 'Knoppix' could also be used to mount
the NTFS partition and read files on it. Knoppix info is here:
http://www.knoppix.net/
A potential easier way to get around this problem might be to disable the
floppy drive completely in the BIOS and then use a password to protect the
BIOS admin functions - this would stop opportunists etc. This depends on
whether your legitimate users need to have day-to-day usage of the floppy
drive for their work? It goes without saying that you should also disable CD
booting if the machines have a CD drive in them (and it can be set to be
booted from.)
I really hope that NHS confidential files are *NOT* stored in plain text on
workstations which are in public places!!! (There are of course other issues
like files on local workstations don't get backed up regularly but
presumably those on a network file store do?)
Ensure that the BIOS password used is that which is written to the hard
drive as opposed to the BIOS password itself. Using the BIOS password can be
circumvented by removing the hard drive and placing it in a different
machine (assuming the thief has time to open the PC and remove the drive -
depends on how busy the PC location is and what your physical controls are
like.)
The cached credentials store is often known as 'LSA Secrets'. An example of
a tool which can potentially
recover these cached credentials is 'lsadump2'. More info is available here:
http://razor.bindview.com/tools/desc/lsadump2_readme.html
Note that on Windows XP, the cached logon credentials have been removed from
'LSA Secrets' and lsadump2 will not be able to recover this information on
XP.
I found the following article which you may find of interest which details a
'sneaky' way of bypassing logon information in general:
http://silverstr.ufies.org/blog/archives/000475.html
All the above assumes that the attacker who wishes to access the machine has
plenty of time to do so. Is this really likely? If theft on the other hand
is an issue and the potential of confidential data being lost is possible,
then disk encryption is really the only way to go. Systems by Pointsec,
SafeBoot and SafeGuard (Utimaco) - 'Google' for them
which would blunt all the above attacks completely.
Hope this helps.
Regards.
"paulroper" <anonymous@discussions.microsoft.com> wrote in message
news:74640C25-98B5-493C-A99A-C6E71FB195CF@microsoft.com...
> Hi there, I am a relatively inexperienced IT Auditor for the health
> service in England. Each of our hospitals has its own network and these
> vary from NT, 2000 to 2003. Our server rooms have a high level of
> physical protection however our client machines could easily be accessed
> by a member of the public. I cannot do anything about this - its the
> nature of the organisation.
>
> I am trying to assess the risks that this causes.
>
> I have been reading material and this suggests the following:
>
> For NT workstations it would be possible to use a NTFSDOS boot disk to
> extract the SAM file from the workstation. LC4 could then be used to
> crack to the local administrator account password. For these workstations
> I intend to recommend that all confidential files are stored on
> fileservers and that the service pack with SYSKEY is applied.
>
> For 2000 Professional/XP Pro workstations a boot disk is available that
> allows the password of any local account to be set. As all users logon to
> the domain, only administrator and guest account should be stored in the
> workstation's SAM. For these workstations I intend to recommend that the
> BIOS is amended so that the machine boots only from the HDD. The BIOS
> should then be password protected. I will also recommend users take
> advantage of EFS.
>
> I would appreciate any comments/critisms on my intended recommendations.
> Are there ways to circuvent my suggestions (I know it may be possible to
> reset BIOS passwords).
>
> Also, after auditing laptops I realised that users could logon using the
> domain account while disconnected from the network. I assume there must
> be a hash of the user's domain password stored on the laptop. I cannot
> locate these doamin accounts in the SAM. Are there any tools which can
> recover the hashed domain account passwords from client machines?
>
> Thanks in advance, Paul
>
- Next message: Matt Clapham [MSFT]: "Re: Folder Rights"
- Previous message: Bill Sanderson: "Re: No Win98se Critical Updates since"
- In reply to: paulroper: "Controls to compensate for physical access to client machines"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
