Re: Help on Administrative pasword security

From: Miha Pihler (mihap-news_at_atlantis.si)
Date: 09/10/04

• Next message: C Man: "Pass Word"
• Previous message: PC: "Re: help please"
• In reply to: serge calderara: "Help on Administrative pasword security"
• Next in thread: serge calderara: "Re: Help on Administrative pasword security"
• Reply: serge calderara: "Re: Help on Administrative pasword security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date: Fri, 10 Sep 2004 16:13:15 +0200

Hi Serge,

For those resetting tools to work, user would need a physical access to the
server. My best advice is, protect physical access to your servers. If you
have bad physical security last thing you need to worry about is resetting
the password. If I get physical access to your computer I can steal (simply
copy off the computer) your SAM database and have all the time in the world
to crack your administrator password without you knowing it. Once I have the
password I can simply use to e.g. install key logger on your server so that
I am notified with new password in case you change it...

Beside physical security, you can additionally protect your passwords if you
switch from LM Hash to NTLM Hash.

How to prevent Windows from storing a LAN manager hash of your password in
Active Directory and local SAM databases
http://support.microsoft.com/default.aspx?scid=kb;en-us;299656&Product=winsvr2003

Account Passwords and Policies
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

Mike

"serge calderara" <sergecalderara@discussions.microsoft.com> wrote in
message news:A7CE1159-F3E3-42CB-A603-F0641D7574FD@microsoft.com...
> Dear all,
>
> In order to avoid the administrator password to be resetted by those
> resetting tool you can find on th net, I was thinking of creating a small
> program which verify if administrator is not blank. Then if it is I set it
> back to its original known value.
>
> The problem I get, is how can I execute this program in order that it
> fermorm is task before security settings gets apply.In order to guaranty
that
> when the login wiondow is comig, the password has been replace to its
> original value if hacked ?
>
> Any idea ? does the run key in registry is enought, or services?

---

• Next message: C Man: "Pass Word"
• Previous message: PC: "Re: help please"
• In reply to: serge calderara: "Help on Administrative pasword security"
• Next in thread: serge calderara: "Re: Help on Administrative pasword security"
• Reply: serge calderara: "Re: Help on Administrative pasword security"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages [Full-Disclosure] RE: Disabling Cached Logon Credentials ... Even with physical access you want to do what you have ... physical server only to change the admin password and do some hack (i.e. ... >Subject: Disabling Cached Logon Credentials ... (Full-Disclosure) Re: Automatic Logon: Recovery Console Password ... "If a bad guy has unrestricted physical access to your computer, ... not your computer anymore" ... Without some special software & hardware on the server, ... I would have been unable to use the "Recovery Console" ... (microsoft.public.backoffice.smallbiz2000) RE: Disabling Cached Logon Credentials ... Even with physical access you want to do what you have to, ... Subject: Disabling Cached Logon Credentials ... Disabling cached logon credentials is on virtually every server ... (Focus-Microsoft) [Full-Disclosure] RE: Disabling Cached Logon Credentials ... Even with physical access you want to do what you have to, ... Subject: Disabling Cached Logon Credentials ... Disabling cached logon credentials is on virtually every server ... (Full-Disclosure)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(13)