Re: Windows NT Offline Password Editor - NT Domain Controllers

From: Tim Holman \(MVP - Security\) (tim_holman_at_hotmail.com)
Date: 11/15/04 

Date: Mon, 15 Nov 2004 18:24:23 -0000

The NT PDC local administrator account is the same as the domain
administrator account...

> Does NT prohibit the use of local accounts on domain controllers? I do not
> have access to a NT network to test this control.

Yes - you can disable local logon.

> If not, could a hacker logon to a domain controller as the local
> administrator, run pwdump and attack the extracted hashes?

How is the hacker going to get the local administrator password... ?? ;)
A good security practise is to create a strong local admin password, put it
in a sealed envelope, in a safe, and use only domain admin accounts to
administer the domain.

> If so, can hackers follow the instrcutions from articles such as "Forgot
> the
> Administrator's Password? - Reset Domain Admin Password in Windows 2000
> AD"
> to reset the domain administrator password for an NT Domain?

If you have local access to the box, you can use a boot disk or CDROM to
change the password:

http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

In this vein, it's very important you keep the PDC in a LOCKED room and
secure physical access.

> Is the SAM on a NT domain controller made up of two parts? i.e. local
> account database and domain account database

It's the same. An NT PDC is just a box with lots of local user accounts on
it, which other machines see as domain accounts.

Hope this helps !

Tim

"Paul Roper" <Paul Roper@discussions.microsoft.com> wrote in message
news:17E13B29-04B4-4EEE-B6E9-2358F4652997@microsoft.com...
> Hi there,
>
> I am studying for a computer audit exam (exam this Thursday!!) and would
> really appreciate some guidance on using Petter Nordahl-Hagen's Windows
> NT/2000 password editor on NT Domain Controllers (I know this post isn't
> currently topical but I'm relatively new to IT Security and the exam
> papers
> requires that I am familar with security issues in NT/2K/2003 & UNIX!)
>
> I have read the instructions and these suggest that the password for the
> local administrator account can be changed on NT workstations, NT Member
> Servers and NT Domain Controllers.
>
> However, this only changes the machine (local) administrator account, not
> the domain administrator account.
>
> Does NT prohibit the use of local accounts on domain controllers? I do not
> have access to a NT network to test this control.
>
> If not, could a hacker logon to a domain controller as the local
> administrator, run pwdump and attack the extracted hashes?
>
> If so, can hackers follow the instrcutions from articles such as "Forgot
> the
> Administrator's Password? - Reset Domain Admin Password in Windows 2000
> AD"
> to reset the domain administrator password for an NT Domain?
>
> Is the SAM on a NT domain controller made up of two parts? i.e. local
> account database and domain account database
>
> If someone could direct me to a paper explaing how the SAM on a domain
> controller is made up I would be very grateful.
>
> I assume a hash value of the domain administrator password is stored in
> the
> SAM on the domain controllers. Why is it not possible for Windows NT/2000
> Offline Password Editor to edit the password for the domain administrator
> account instead of the machine administrator account? I am sure there is a
> very good reason, but I lack the knowledge and experience to figure this
> out.
> If anyone does not the answer please let us know (in simplistic terms if
> possible!!!!)
>
> Thanks

Relevant Pages