Resetting the domain admin password

sratakhin · June 2013

I was shocked to discover how easy it is to reset the domain admin password if you have physical access to a DC. I mean, I had to reset Windows XP and 7 passwords many times using different tools, but the domain admin password?!

Here it is.
vThoughts of IT: Reset your lost Domain Administrator password in 2 minutes

Tried it on Windows Server 2008 R2 and it worked perfectly. Bravo, Microsoft. I don't know what to say.

dbrink · June 2013

Honestly, if you have physical access to a machine then it is game over anyway.

ptilsen · June 2013

Why is this surprising? If the system is not encrypted, there will always be a way to change a password from outside the running OS. Similar options exist for recovery of other account passwords in other operating systems and directory systems. If anything, MS should make it even easier. Anyone who can Google has always been able to do this, so I would argue they should build an interface specifically for this just to make it easier.

To prevent offline resetting of directory account passwords and still maintain the same functionality, encryption has always been necessary and always will be.

dbrink wrote: »

Honestly, if you have physical access to a machine then it is game over anyway.

Only if it isn't encrypted. If it's encrypted it can be designed in such a way that it cannot be compromised except by DMA vulnerabilities or RAM forensics, both of which are limited and can generally be prevented. Physically securing systems is still important, but most systems can be adequately secured against physical access or theft with drive encryption.

mikedisd2 · June 2013

Nice work, smart use of the Utilman.exe if you don't have a pwd resetter disk handy.

sratakhin · June 2013

Ptilsen, I bet you have way more experience that I do, so finding this trick was a revelation to me

ptilsen · June 2013

Fair enough. It's just something to keep in mind from an abstract standpoint. It's possible to get into almost anything offline that isn't encrypted and secured properly; it's just a matter of whether the tool exists and you can get at it or you need to make it from scratch.

dbrink · June 2013

ptilsen wrote: »

Only if it isn't encrypted. If it's encrypted it can be designed in such a way that it cannot be compromised except by DMA vulnerabilities or RAM forensics, both of which are limited and can generally be prevented. Physically securing systems is still important, but most systems can be adequately secured against physical access or theft with drive encryption.

Very true.....but I don't know about other organizations, but I haven't worked at one that used drive encryption on servers because they are in a supposedly secure data center.

ptilsen · June 2013

Right, most would not use drive encryption on servers because they feel the risk of a malicious entity gaining physical access is sufficiently mitigated by the security of the server room. Most would probably be correct, but for some organizations, I would argue in favor of full-disk-encrypting all domain controllers, if not all servers. I did consult for an organization at one point and we determined full disk encryption was needed for all servers, but that was more for a vendor's compliance requirements than true need.

It's also for this reason the Microsoft created RODCs, which are an alternative to disk-encrypting DCs. However, it's again worth noting that RODC reduce functionality compared to writable DCs with encryption, and which makes more sense has more to do with what functionality is needed.

sratakhin · June 2013

Ptilsen, how about disgruntled employees? I remember reading a story about a network administrator, who had access to the whole network in San Francisco and refused to release the passwords when he was fired...

ptilsen · June 2013

It is possible to devise multi-control systems in which no one administrator or engineer has sufficient access on his or her own to do something like that. However, it can be complicated, messy, and expensive, and still may not be able to effectively mitigate against a privileged user. Most organizations are probably fine with trusting their IT staff, but they should certainly be wary about such things.

My recollection from that incident was that it was the passwords for the networking equipment, and they were able to recover them. A more concerning example would again be if the encryption keys for all servers were lost, in which case recovery might prove impossible. However, it is rare indeed to see an organization with much data have both servers and backups use encryption and only one person or even set of people having access to the keys. Any organization with that kind of need would be highly likely to have a better access control system in place, with proper separation of roles and such.

YFZblu · June 2013

sratakhin wrote: »

I was shocked to discover how easy it is to reset the domain admin password if you have physical access to a DC. I mean, I had to reset Windows XP and 7 passwords many times using different tools, but the domain admin password?! Here it is. vThoughts of IT: Reset your lost Domain Administrator password in 2 minutes Tried it on Windows Server 2008 R2 and it worked perfectly. Bravo, Microsoft. I don't know what to say.

In fairness, if the bootloader isn't locked down on a Linux machine it is trivial to boot to a Root shell with unfettered access to the system. Additionally if given physical access to a Cisco machine it is a simple task to bypass the startup configuration, avoid authentication, and gain access to the device.

Every system is vulerable under the right conditions, part of our jobs is to prevent those conditions from being available to malicious entities.

ChooseLife · June 2013

YFZblu wrote: »

Every system is vulerable under the right conditions, part of our jobs is to prevent those conditions from being available to malicious entities.

This is spot on.

Also, like dbrink said,

dbrink wrote: »

if you have physical access to a machine then it is game over anyway.

Historically, for better or worse, we entrust those who have physical access to the system with almost unlimited powers. This can be changed - via password-protected BIOS with restricted boot options, locked USB ports, encrypted file-systems, etc - but the default modus operandi is to trust the person who can physically touch the system.

MrAgent · June 2013

The same thing is available in RHEL. In the official Red Hat classes, its part of the content, they want you to know how to reset root if you do not have the password.

kurosaki00 · June 2013

Closer your eyes, hit your keyboard with your forehead 7 times
bam! A strong password

jibbajabba · June 2013

This is an old trick many, including me, just never made public. One of those 'getting out of jail cards' you keep in your wallet. Like Agent says, it is even an official RedHat procedure too to reset a password.

On standalone windows servers there was always 'ERD Commander' - remember that one

?

DevilWAH · June 2013

kurosaki00 wrote: »

Closer your eyes, hit your keyboard with your forehead 7 times
bam! A strong password

Only if the keyboard is move a random amount between strikes other wise your password will be ghghghghghghghghghghghghghghgh

Resetting the domain admin password

Comments