Resetting the domain admin password
I was shocked to discover how easy it is to reset the domain admin password if you have physical access to a DC. I mean, I had to reset Windows XP and 7 passwords many times using different tools, but the domain admin password?!
Here it is.
vThoughts of IT: Reset your lost Domain Administrator password in 2 minutes
Tried it on Windows Server 2008 R2 and it worked perfectly. Bravo, Microsoft. I don't know what to say.
Here it is.
vThoughts of IT: Reset your lost Domain Administrator password in 2 minutes
Tried it on Windows Server 2008 R2 and it worked perfectly. Bravo, Microsoft. I don't know what to say.
Comments
-
dbrink Member Posts: 180Honestly, if you have physical access to a machine then it is game over anyway.Currently Reading: Learn Python The Hard Way
http://defendyoursystems.blogspot.com/ -
ptilsen Member Posts: 2,835 ■■■■■■■■■■Why is this surprising? If the system is not encrypted, there will always be a way to change a password from outside the running OS. Similar options exist for recovery of other account passwords in other operating systems and directory systems. If anything, MS should make it even easier. Anyone who can Google has always been able to do this, so I would argue they should build an interface specifically for this just to make it easier.
To prevent offline resetting of directory account passwords and still maintain the same functionality, encryption has always been necessary and always will be.Honestly, if you have physical access to a machine then it is game over anyway. -
mikedisd2 Member Posts: 1,096 ■■■■■□□□□□Nice work, smart use of the Utilman.exe if you don't have a pwd resetter disk handy.
-
sratakhin Member Posts: 818Ptilsen, I bet you have way more experience that I do, so finding this trick was a revelation to me
-
ptilsen Member Posts: 2,835 ■■■■■■■■■■Fair enough. It's just something to keep in mind from an abstract standpoint. It's possible to get into almost anything offline that isn't encrypted and secured properly; it's just a matter of whether the tool exists and you can get at it or you need to make it from scratch.
-
dbrink Member Posts: 180Only if it isn't encrypted. If it's encrypted it can be designed in such a way that it cannot be compromised except by DMA vulnerabilities or RAM forensics, both of which are limited and can generally be prevented. Physically securing systems is still important, but most systems can be adequately secured against physical access or theft with drive encryption.
Very true.....but I don't know about other organizations, but I haven't worked at one that used drive encryption on servers because they are in a supposedly secure data center.Currently Reading: Learn Python The Hard Way
http://defendyoursystems.blogspot.com/ -
ptilsen Member Posts: 2,835 ■■■■■■■■■■Right, most would not use drive encryption on servers because they feel the risk of a malicious entity gaining physical access is sufficiently mitigated by the security of the server room. Most would probably be correct, but for some organizations, I would argue in favor of full-disk-encrypting all domain controllers, if not all servers. I did consult for an organization at one point and we determined full disk encryption was needed for all servers, but that was more for a vendor's compliance requirements than true need.
It's also for this reason the Microsoft created RODCs, which are an alternative to disk-encrypting DCs. However, it's again worth noting that RODC reduce functionality compared to writable DCs with encryption, and which makes more sense has more to do with what functionality is needed. -
sratakhin Member Posts: 818Ptilsen, how about disgruntled employees? I remember reading a story about a network administrator, who had access to the whole network in San Francisco and refused to release the passwords when he was fired...
-
ptilsen Member Posts: 2,835 ■■■■■■■■■■It is possible to devise multi-control systems in which no one administrator or engineer has sufficient access on his or her own to do something like that. However, it can be complicated, messy, and expensive, and still may not be able to effectively mitigate against a privileged user. Most organizations are probably fine with trusting their IT staff, but they should certainly be wary about such things.
My recollection from that incident was that it was the passwords for the networking equipment, and they were able to recover them. A more concerning example would again be if the encryption keys for all servers were lost, in which case recovery might prove impossible. However, it is rare indeed to see an organization with much data have both servers and backups use encryption and only one person or even set of people having access to the keys. Any organization with that kind of need would be highly likely to have a better access control system in place, with proper separation of roles and such. -
YFZblu Member Posts: 1,462 ■■■■■■■■□□I was shocked to discover how easy it is to reset the domain admin password if you have physical access to a DC. I mean, I had to reset Windows XP and 7 passwords many times using different tools, but the domain admin password?! Here it is. vThoughts of IT: Reset your lost Domain Administrator password in 2 minutes Tried it on Windows Server 2008 R2 and it worked perfectly. Bravo, Microsoft. I don't know what to say.
In fairness, if the bootloader isn't locked down on a Linux machine it is trivial to boot to a Root shell with unfettered access to the system. Additionally if given physical access to a Cisco machine it is a simple task to bypass the startup configuration, avoid authentication, and gain access to the device.
Every system is vulerable under the right conditions, part of our jobs is to prevent those conditions from being available to malicious entities. -
ChooseLife Member Posts: 941 ■■■■■■■□□□Every system is vulerable under the right conditions, part of our jobs is to prevent those conditions from being available to malicious entities.
Also, like dbrink said,if you have physical access to a machine then it is game over anyway.
Historically, for better or worse, we entrust those who have physical access to the system with almost unlimited powers. This can be changed - via password-protected BIOS with restricted boot options, locked USB ports, encrypted file-systems, etc - but the default modus operandi is to trust the person who can physically touch the system.“You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.” (c) xkcd #896
GetCertified4Less - discounted vouchers for certs -
MrAgent Member Posts: 1,310 ■■■■■■■■□□The same thing is available in RHEL. In the official Red Hat classes, its part of the content, they want you to know how to reset root if you do not have the password.
-
kurosaki00 Member Posts: 973Closer your eyes, hit your keyboard with your forehead 7 times
bam! A strong passwordmeh -
jibbajabba Member Posts: 4,317 ■■■■■■■■□□This is an old trick many, including me, just never made public. One of those 'getting out of jail cards' you keep in your wallet. Like Agent says, it is even an official RedHat procedure too to reset a password.
On standalone windows servers there was always 'ERD Commander' - remember that one ?My own knowledge base made public: http://open902.com -
DevilWAH Member Posts: 2,997 ■■■■■■■■□□kurosaki00 wrote: »Closer your eyes, hit your keyboard with your forehead 7 times
bam! A strong password
Only if the keyboard is move a random amount between strikes other wise your password will be ghghghghghghghghghghghghghghgh- If you can't explain it simply, you don't understand it well enough. Albert Einstein
- An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Linkin Profile - Blog: http://Devilwah.com