Resetting the domain admin password

sratakhinsratakhin Member Posts: 818
I was shocked to discover how easy it is to reset the domain admin password if you have physical access to a DC. I mean, I had to reset Windows XP and 7 passwords many times using different tools, but the domain admin password?!

Here it is.
vThoughts of IT: Reset your lost Domain Administrator password in 2 minutes

Tried it on Windows Server 2008 R2 and it worked perfectly. Bravo, Microsoft. I don't know what to say.

Comments

  • dbrinkdbrink Member Posts: 180
    Honestly, if you have physical access to a machine then it is game over anyway.
    Currently Reading: Learn Python The Hard Way
    http://defendyoursystems.blogspot.com/
  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    Why is this surprising? If the system is not encrypted, there will always be a way to change a password from outside the running OS. Similar options exist for recovery of other account passwords in other operating systems and directory systems. If anything, MS should make it even easier. Anyone who can Google has always been able to do this, so I would argue they should build an interface specifically for this just to make it easier.

    To prevent offline resetting of directory account passwords and still maintain the same functionality, encryption has always been necessary and always will be.
    dbrink wrote: »
    Honestly, if you have physical access to a machine then it is game over anyway.
    Only if it isn't encrypted. If it's encrypted it can be designed in such a way that it cannot be compromised except by DMA vulnerabilities or RAM forensics, both of which are limited and can generally be prevented. Physically securing systems is still important, but most systems can be adequately secured against physical access or theft with drive encryption.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • mikedisd2mikedisd2 Member Posts: 1,096 ■■■■■□□□□□
    Nice work, smart use of the Utilman.exe if you don't have a pwd resetter disk handy.
  • sratakhinsratakhin Member Posts: 818
    Ptilsen, I bet you have way more experience that I do, so finding this trick was a revelation to me ;)
  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    Fair enough. It's just something to keep in mind from an abstract standpoint. It's possible to get into almost anything offline that isn't encrypted and secured properly; it's just a matter of whether the tool exists and you can get at it or you need to make it from scratch.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • dbrinkdbrink Member Posts: 180
    ptilsen wrote: »
    Only if it isn't encrypted. If it's encrypted it can be designed in such a way that it cannot be compromised except by DMA vulnerabilities or RAM forensics, both of which are limited and can generally be prevented. Physically securing systems is still important, but most systems can be adequately secured against physical access or theft with drive encryption.

    Very true.....but I don't know about other organizations, but I haven't worked at one that used drive encryption on servers because they are in a supposedly secure data center.
    Currently Reading: Learn Python The Hard Way
    http://defendyoursystems.blogspot.com/
  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    Right, most would not use drive encryption on servers because they feel the risk of a malicious entity gaining physical access is sufficiently mitigated by the security of the server room. Most would probably be correct, but for some organizations, I would argue in favor of full-disk-encrypting all domain controllers, if not all servers. I did consult for an organization at one point and we determined full disk encryption was needed for all servers, but that was more for a vendor's compliance requirements than true need.

    It's also for this reason the Microsoft created RODCs, which are an alternative to disk-encrypting DCs. However, it's again worth noting that RODC reduce functionality compared to writable DCs with encryption, and which makes more sense has more to do with what functionality is needed.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • sratakhinsratakhin Member Posts: 818
    Ptilsen, how about disgruntled employees? I remember reading a story about a network administrator, who had access to the whole network in San Francisco and refused to release the passwords when he was fired...
  • ptilsenptilsen Member Posts: 2,835 ■■■■■■■■■■
    It is possible to devise multi-control systems in which no one administrator or engineer has sufficient access on his or her own to do something like that. However, it can be complicated, messy, and expensive, and still may not be able to effectively mitigate against a privileged user. Most organizations are probably fine with trusting their IT staff, but they should certainly be wary about such things.

    My recollection from that incident was that it was the passwords for the networking equipment, and they were able to recover them. A more concerning example would again be if the encryption keys for all servers were lost, in which case recovery might prove impossible. However, it is rare indeed to see an organization with much data have both servers and backups use encryption and only one person or even set of people having access to the keys. Any organization with that kind of need would be highly likely to have a better access control system in place, with proper separation of roles and such.
    Working B.S., Computer Science
    Complete: 55/120 credits SPAN 201, LIT 100, ETHS 200, AP Lang, MATH 120, WRIT 231, ICS 140, MATH 215, ECON 202, ECON 201, ICS 141, MATH 210, LING 111, ICS 240
    In progress: CLEP US GOV,
    Next up: MATH 211, ECON 352, ICS 340
  • YFZbluYFZblu Member Posts: 1,462 ■■■■■■■■□□
    sratakhin wrote: »
    I was shocked to discover how easy it is to reset the domain admin password if you have physical access to a DC. I mean, I had to reset Windows XP and 7 passwords many times using different tools, but the domain admin password?! Here it is. vThoughts of IT: Reset your lost Domain Administrator password in 2 minutes Tried it on Windows Server 2008 R2 and it worked perfectly. Bravo, Microsoft. I don't know what to say.

    In fairness, if the bootloader isn't locked down on a Linux machine it is trivial to boot to a Root shell with unfettered access to the system. Additionally if given physical access to a Cisco machine it is a simple task to bypass the startup configuration, avoid authentication, and gain access to the device.

    Every system is vulerable under the right conditions, part of our jobs is to prevent those conditions from being available to malicious entities.
  • ChooseLifeChooseLife Member Posts: 941 ■■■■■■■□□□
    YFZblu wrote: »
    Every system is vulerable under the right conditions, part of our jobs is to prevent those conditions from being available to malicious entities.
    This is spot on.

    Also, like dbrink said,
    dbrink wrote: »
    if you have physical access to a machine then it is game over anyway.

    Historically, for better or worse, we entrust those who have physical access to the system with almost unlimited powers. This can be changed - via password-protected BIOS with restricted boot options, locked USB ports, encrypted file-systems, etc - but the default modus operandi is to trust the person who can physically touch the system.
    “You don’t become great by trying to be great. You become great by wanting to do something, and then doing it so hard that you become great in the process.” (c) xkcd #896

    GetCertified4Less
    - discounted vouchers for certs
  • MrAgentMrAgent Member Posts: 1,310 ■■■■■■■■□□
    The same thing is available in RHEL. In the official Red Hat classes, its part of the content, they want you to know how to reset root if you do not have the password.
  • kurosaki00kurosaki00 Member Posts: 973
    Closer your eyes, hit your keyboard with your forehead 7 times
    bam! A strong password
    meh
  • jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
    This is an old trick many, including me, just never made public. One of those 'getting out of jail cards' you keep in your wallet. Like Agent says, it is even an official RedHat procedure too to reset a password.

    On standalone windows servers there was always 'ERD Commander' - remember that one :) ?
    My own knowledge base made public: http://open902.com :p
  • DevilWAHDevilWAH Member Posts: 2,997 ■■■■■■■■□□
    kurosaki00 wrote: »
    Closer your eyes, hit your keyboard with your forehead 7 times
    bam! A strong password

    Only if the keyboard is move a random amount between strikes other wise your password will be ghghghghghghghghghghghghghghgh :)
    • If you can't explain it simply, you don't understand it well enough. Albert Einstein
    • An arrow can only be shot by pulling it backward. So when life is dragging you back with difficulties. It means that its going to launch you into something great. So just focus and keep aiming.
Sign In or Register to comment.