Re: SysKey
From: Martin Weld (MWeld_at_community.nospam)
Date: 06/25/04
- Next message: anonymous_at_discussions.microsoft.com: "Re: Can't delete folders"
- Previous message: SF: "hyperlink problems after installing security patch"
- In reply to: Steven L Umbach: "Re: SysKey"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 24 Jun 2004 21:34:15 -0700
And not to mention for the default level, in offline
attack, bad guys
1) obtain the syskey
2) decrypt SAM hive or
decrypt ntds.dit's "unicodePwd" or "dBCSPwd" values, and
3) pass the decrypted hashes back to the online SAM or DC
for Local Admin or Domain Admin, respectively.
http://studenti.unina.it/~ncuomo/syskey/
WinPE or BartPE allow the similar attack here by installing
the SRVANY service offline.
http://www.nobodix.org/seb/win2003_adminpass.html
Also there is some Microsoft webcast about this passwords
theft today.
TechNet Webcast: Passwords Demystified - Level 200
6/25/2004 1:00 PM
http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032253148&Culture=en-US
>-----Original Message-----
>Not to mention that if I get physical access to a domain
controller that is not
>protected with syskey other than default level, I can be
domain administrator within
>ten minutes by first resetting the administrator password
for the built in local
>administrator account used for Recovery Console and
Directory Services Restore Mode,
>and then logging in via DSRM, doing a registry mod to
reset the desktop settings so
>that the screen saver kicks in a few seconds after boot up
to show the command
>console and then use dsa.msc to bring up AD Users and
Groups and I am in as domain
>administrator. I recently tested this and it still works
on SP4. --- Steve
>
>http://www.petri.co.il/reset_domain_admin_password_in_windows_2000_ad.htm
>
>"Martin Weld" <MWeld@community.nospam> wrote in message
>news:20f9301c45a36$8cc06790$a301280a@phx.gbl...
>
>>-----Original Message-----
>>The Domain Controllers store passwords in Active
>Directory, not the SAM
>>database. SysKey would have no impact on accounts stored
>in the directory.
>
>Not so.
>
>Hashed representations of passwords stored in either the
>SAM or Active Directory (ntds.dit) are both encrypted with
>SYSKEY by default on Win2k and Win2k3.
>
>http://mhorder.com/securityfocus/pdf/hackingwindows/CH02.PDF
>http://www.microsoft.com/technet/Security/prodtech/win2003/w2003hg/sgch04.mspx
>
>>--
>>Eric Chamberlain, CISSP
>>
>>
>>"faels" <dweingarten@firstam.com> wrote in message
>>news:ceeb10b.0406070540.2e541de2@posting.google.com...
>>> We want to use SysKey on our AD domain controller. Before
>>> implementing the change, I wanted to know if there are
>any known
>>> issues with using the utility. We are not going to pick
>either of the
>>> advanced options, and will keep the key locally on the
>machine.
>>>
>>> Has anyone experienced problems after using the utility
>in a Windows
>>> Server 2003 domain environment? Are there any issues
>with legacy
>>> systems accaessing this information? What level of
>encryption does a
>>> SysKey protected environment maintain?
>>>
>>> Any input would be helpful
>>
>>
>>.
>>
>
>
>.
>
- Next message: anonymous_at_discussions.microsoft.com: "Re: Can't delete folders"
- Previous message: SF: "hyperlink problems after installing security patch"
- In reply to: Steven L Umbach: "Re: SysKey"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
