Protecting SAM and Security Hives

Windows NT/2000/XP security information is stored in the SAM (Security Accounts Manager) and Security registry hives. The SAM hive contains user passwords as a table of hash codes; the Security hive stores security information for the local system, including user rights and permissions, password policies and group membership.

Note 

The SAM information is encrypted. However, there are many utilities that allow you to crack the SAM hive. The most common examples are PWDUMP, NT Crack, and L0phtCrack (the latest version is LC3).

How to Protect the SAM Hive

Microsoft officially states that the best method of protecting Windows NT/2000/XP is protecting administrative passwords. This, however, isn't enough. Many users can access the SAM and Security hives, including members of the Backup Operators group, whose responsibility is registry backup.

By default, no user (even the Administrator) has necessary access rights that would allow them to access or view the SAM database using the registry editor. However, the SAM and Security hives are stored on the hard disk, the same as all the other files. All you need to do is to get the copies of these files. Of course, you can't do it by simply copying the registry of the running Windows NT/2000/XP system. If you make such an attempt, you'll get an error message (Fig. 9.7).

click to expand
Fig. 9.7: When an attempt to copy the registry of the running Windows NT/2000/XP is made, the system displays an error message

However, there are tools such as Regback included with Windows NT 4.0 Resource Kit and REG included with Windows 2000 Resource Kit. By using these tools, members of Administrators or Backup Operators groups can obtain copies of the registry even if the system is up and running.

If Windows NT/2000 is installed on the FAT volume, then anyone who can reboot the system and has physical access to the computer can copy the Windows NT/2000 registry. They need only to reboot the system, start MS-DOS or Windows 95/98, and copy the SAM and Security hives from the %SystemRoot%\System32\Config folder.

Note 

If Windows NT/2000 is installed on NTFS volume, you can use the NTFSDOS utility for copying the SAM and Security hives (you can download it from http://www.sysinternals.com/ntfs30.htm). NTFSDOS mounts NTFS volumes under DOS. This utility and its clones (for example, NTFS for Windows 98) causes different, and sometimes negative, reactions (because of the potential risk to the security subsystem). When the first version of NTFSDOS appeared, Microsoft had to state officially that "true security is physical security". NTFSDOS, though, is one of the most useful tools for registry backup and recovery and may be very helpful when performing emergency recovery (especially if this has to be done very quickly).

To summarize, in order to protect the SAM and Security files from unauthorized copying, you need to provide true physical security for the computers you need to protect. Also, don't assign every user the right to reboot the system.

Note 

By default, this privilege is assigned to Administrators, Backup Operators, Power Users, and Users on Windows 2000/XP workstations. On member servers, it is assigned to Administrators, Power Users, and Backup Operators. On domain controllers, it is assigned to Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators.

To edit the user permissions in Windows 2000, log onto the system as a member of the Administrators group, open the Control Panel windows, start Administrative Tools and select the Local Security Policy option. Expand the MMC tree and select the User Rights Assignment option. The list of user rights will appear in the right pane of this window (Fig. 9.8).

click to expand
Fig. 9.8: Editing the list of Windows 2000/XP user groups allowed to reboot the system

Now, can we say that the Windows NT/2000/XP is secure? No, we can't, because there are backup copies of the registry. In Windows NT 4.0, backup copies of the registry are created immediately after a successful setup or whenever you start the Rdisk/s command. The backup copies of the registry are stored in the %SystemRoot%\Repair directory. Backup copies of the Windows 2000 registry are created whenever you backup the System State Data. As you may recall, all this information is stored in the %SystemRoot%\Repair\Regback folder. These files aren't in use by the system, and any user who has appropriate access rights can copy them. In Windows NT 4.0, systems NTFS access rights don't protect the %SystemRoot%\Repair directory. Every user has Read access to this directory, and that's enough to copy the files. In Windows 2000, the Users group by default only has the List permission for this directory, and this permission doesn't allow you to copy the files. If you installed your system as an upgrade from earlier versions of Windows NT, though, access rights to the registry and file system objects will be inherited from the previous system.

Thus, to prevent unauthorized copying of the SAM and Security files, you need to do the following:

  • Don't assign end users permission to log on locally on the servers

  • Whenever possible, use NTFS file system

  • Provide physical security for all servers

  • In Windows NT 4.0 and in Windows 2000/XP systems upgraded from earlier Windows NT versions, restrict access rights to the %SystemRoot%\Repair folder

  • Secure the backup copies of the registry and emergency repair disks (Windows NT 4.0) or System State Data (Windows 2000 and Windows XP)

You may ask "But what happens if someone steals my SAM and Security hives?" The answer is very simple: You don't need serious hacking skills to crack the stolen SAM If you have these files at your disposal, you can make any number of dictionary or brute force attacks. And if you have LC3 at your disposal (which can be downloaded from http://www.atstake.com/Ic3 and represents a new version of the well-known L0phtCrack password-auditing tool), your success mainly depends on the quality of the dictionary you use (Fig. 9.9).

click to expand
Fig. 9.9: Weak passwords are cracked by LC3 within a matter of minutes

Thus, to protect the system, you need to prevent users from setting blank passwords and restrict the password policy. (Or at least require that passwords be at least 8 characters long, use arbitrary combinations of letters and digits, and specify the system policy in relation to the password complexity).

Note 

Imagine that you want to hack your own SAM hive (and then try to do it) Remember, your tasks are significantly easier than those of the hacker, because you don't need to plan a remote attack to steal the SAM and Security hives. If you can crack some passwords automatically, explain to the users who've specified these passwords that they're compromising the system security.



Windows XP Registry
Linux Enterprise Cluster: Build a Highly Available Cluster with Commodity Hardware and Free Software
ISBN: N/A
EAN: 2147483647
Year: 2000
Pages: 144
Authors: Karl Kopper

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net