Change location of SAM database 3

[bmoher]

I was recently shown a Linux based utility that will let you boot to the floppy, run the utility and change the password of any user including Administrator as long as you know where the accounts are stored. A quick fix to this would be to move the files out of the default location of WINNT\system32\config.<br>
<br>
Does anybody have any suggestions for a safe way to do this ?<br>
<br>

 

[jsauce]

Windows NT, like Unix is considered a very high security system.<br>
<br>
The operating system uses the password as a parameter in an irreversible mathematical function that calculates a hash value. This hash value is then stored in the system password database (which, strangely enough, does no longer contain passwords but hash values). In order to validate a logon, the system uses the password supplied by the user, performs the mathematical function and then compares the hash value with the value stored in the password database. The premise is that when the hash values are equal, the two paswords used to generate the hash values are equal as well: the user is allowed access. Both UNIX and Windows/NT use this third method of storing password information.<br>
<br>
So if you look at a UNIX /etc/passwd file, the second field (the "password" field) does not contain passwords, but it contains the hash value that resulted from executing the UNIX hash function with the password as a parameter. Likewise, the Windows/NT security database (\WINNT\SYSTEM32\CONFIG\SAM) does not contain passwords but hash values generated from the Windows/NT hash function with the user's password as an input parameter.<br>
<br>
In operating system that store hash values instead of(encrypted) passwords it is impossible to decrypt user's passwords, even if you have full access to the system password database. However, systems storing hash values in publicly readable files are vulnerable to a so-called brute force attack. Because the hash functions are well documented, a hacker could try to generate all possible passwords, calculate their hash value and compare this hash value to the hash values stored in the system password database. Since the length of a password is bounded by a system limit, there is a finite number of possible passwords. It is theoretically possible to generate all possible passwords and hash them. Fortunately, the computing power needed in order to launch a full scale brute force attack is not generally available. In a system using eight character ASCII passwords there are approximately 7.2E16 possible passwords. Given a computer that can generate, hash and compare 1 million possible passwords per second it will take about 2258 years to search the entire password space. Since Windows/NT uses passwords of up to 14 characters a brute force attack with the same computer would take more then 600,000 billion years.<br>
<br>
What makes this really fun, is that users often use simple passwords only containing numbers, and/or letters. This makes passwords subject to dictionary attacks. Password cracking is most likely easier not because the system is unreliable, but because the user is not using the password protection to its full potential. When a user chooses a 3 letter password or even a 5 or 6 letter password instead of a maximum 128 character password, this greatly reduces the security of password protection. With Windows NT, using both an unreadable SAM in NT, as well as an NTFS files system unreadbale in DOS, or by other operating systems, without hacking intervention, it still makes it very hard to compromise the security of Windows NT. Now this does not mean that Windows NT is not crackable, but since any attempt to read the SAM in Win NT would require at least Administrator access, a SYSADMIN simply needs to make sure there is no direct access to the Windows NT machine, and that if there is, it is locke until a password is entered. Locking the Windows NT machine while not in use is always a good idea. Make sure the Windows NT Adminstrator password is not an easy password. Some examples of common passwords are, GOD, SEX, LOVE, DRUGS, your DOB, your SSN, your kid's name, your pet's name, your spouse's name, your name, etc. Passwords should be reasonable hard to remember, even for you. It should be a password that would take you a while to memorize. It should contain both numbers and letters and should be case sensitive. For these reasons the SAM does not really need to be moved. But for the sake of argument if you were to move the SAM, could a programmer just as easily take this program and add a search fuction, so if the SAM were moved it could easily be found?<br>
<br>
Just my opinion of course.<br>

 

[jonathanv1]

Wow. Now I see why you were voted Tipmaster of the week. Thanks.

 

[bmoher]

JSAUCE, thanks for the valuable information. Yes, you are quite right in stating that a programmer couldjust as easily take this program and add a search fuction so, if the SAM were moved it could easily be found.<br>
<br>
A less elegant but more practical solution I have been using on our workstations(DELL Optiplex GX1s) is, once it is up and running, I disable boot from floppy and password protect the bios setup page.<br>
<br>
If anyone could break that I would be impressed !<br>
<br>

 

[jsauce]

Actually I could break it. Simply by detaching the battery, I could reset your bios password, and get into the system. There unfortunately is no absolute way to prevent a security issue like this. I have some thoughts on a more fun way to protect a system. It involoves a BOOT LOADER, a password protection scheme, and a fake FAT. I was thinking a boot loader could be used to bypass the normal boot. Within the boot loader a program could be used as a password protection scheme. Now if the user doesn't enter the right password after 3 trys the computer would lock. If he does enter the right password, the computer would then load the boot sector, and the proper file allocation table which could be hidden, and only readable by the BOOT Loader. (Or a FAKE FAT can be loaded until the BOOT LOADER loads the real one.) That way when a program is loaded on say a floppy and the floppy is bootable, it cannot access the FAT, because it can only be accessed using the boot loader on the hard disk. I think that might be useful. Ofcourse in no time a hacker will simply figure out how the Boot Loader is loading the real table and write a program which can read the real table even when other programs cannot see it.

 

[Zelandakh]

Alternatively, instead of detaching the battery (CMOS decay is not always instant if you have a capacitor) there are normally shorting pins on the board clearly marked "Clear CMOS".<br>
<br>
A rather less technical method involves security cameras and code entry doors to the building so physically keep them off the premises <br>
<br>
Zel, agreeing that JSauce probably has a stack of TipMaster leather jackets stashed away somewhere...

 

[bmoher]

Thanks for all the replies. I know about clearing the CMOS. Myself, I would just pullout the hard drive, install it on my workstation, copy all the data, then put it back. No one would know.<br>
<br>
But, my just is only at the software level. I was just trying to stop these smart$%^ Unix and Novell administrators who seem to feel obligated to broadcast every problem with NT server or workstation. <br>
<br>
They report every bug and virus to me. They want to go on endlessly about every method of breaking into NT they come accross. When they are not doing that they are going on about how Microsoft must be stopped, they are the evil empire and Bill Gates is the devil himself. They hang pictures of him with Devil horns coming out.<br>
<br>
I know this is not the forum for this but I am sick and tired of this International ABM coalition. I used to be a UNIX and Novell administrator. I know the differences and advantages of each. I know what is wrong with each. (I also know that Linux has a long, long way to go before getting into the mainstream.) <br>
<br>
I don't need to hear this all the time from these whining computer nerds. I have actually had to tell these loosers to go out and find a woman, a hobby, or a political cause(the environment would be a good one)that they can feel passionate about. Me, I'm only in the bussines to make a living.If somehow every OS and App. disappeared overnight I wouldn't cry about it like these geeks!<br>
<br>
Thanks for listening. <br>
<br>

 

[jsauce]

HAHAHA!

 

[Alt255]

bmoher, you have my vote. That was quite a tip! (Something we already knew but didn't find time to identify.)<br>
And... jsauce... I need some low-level help. Just leave your e-mail address on my desktop.<br>
<br>
Like it or not, we are the second largest community on the planet. We don't always agree. We fight. We make up. We make a living by relying on each other.<br>
<br>
We wake up and learn that our enemies are our best friends.<br>
<br>
2 cents from a really old geek<br>

 

[jsauce]

Alt255 you can reach me at jsauce@net1plus.com or my ICQ number if you have ICQ is 3287200<br>
<br>
That goes for anyone else wanting to contact me too.