If effective controls are not in place for providing and removing access to the server, it could result in unnecessary access to system resources. This, in turn, places the integrity and availability of the server at risk.
Interview the system administrator, and review account-creation procedures. This process should include some form of verification that the user has a legitimate need for access. Take a sample of accounts from the password file, and review evidence that they were approved properly prior to being created. Alternatively, take a sample of accounts from the password file, and validate their legitimacy by investigating and understanding the job function of the account owners.
Also review the process for removing accounts when access is no longer needed. This process could include an automated feed from the company's human resources (HR) system providing information on terminations and job changes. Or the process could include a periodic review and validation of active accounts by the system administrator and/or other knowledgeable managers. Obtain a sample of accounts from the password file, and verify that they are owned by active employees and that those employees' job positions have not changed since the account's creation.
Most user accounts should be administered centrally by a domain controller, with the possible exception of accounts created on isolated systems that are not a member of a domain (e.g., some DMZs). This increases network security because account provisioning and deprovisioning can be controlled.
You can view the accounts by opening compmgmt.msc from the command line or with DumpSec using the following syntax:
DumpSec.exe /rpt=users /saveas=fixed /outfile=users.txt
Note | Download DumpSec from http://www.somarsoft.com. The same executable that launches the GUI is the one used from the command line. You can include DumpSec in a script by including the binary with your script when you run the script. Learn about the different command-line options by going to the help file under Help | Contents and selecting Command-Line options. |
Discuss your findings with the administrator, and pay close attention to accounts that should exist outside the domain. The only accounts that should exist outside the domain are the built-in guest and administrator accounts unless required by an application.
Groups can greatly simplify the provisioning and deprovisioning process for adding or removing user access to systems as users join and leave a team. However, old members sometimes hang around inside a group when they leave a team.
Review the contents of the groups on the system for appropriate membership while you're looking through the accounts using the method in the preceding step. Remember, in an active directory environment, groups can be nested, and you need to check the membership of the nested groups. In general, this is a good time to investigate the use of shared accounts. Such accounts present risk in that you loose accountability for actions taken on the system. However, there are certain situations in which this is unavoidable, such as with certain software on a manufacturing floor. Organizations dealing with PCI or HIPAA should examine their use of shared accounts closely.
Additionally, ensure that the IT security team, investigations team, and appropriate support personnel have administrative access to the server. This may not pertain to all organizations, and there may be some exceptions. These should be placed into a group and not added as individual users to the server.
Note | Although mentioned previously, it bears repeating that it's common to have exception requests that document exceptions to policy. This is fine as long as the requests are documented with the specific accepted risks and the appropriate management sign-off on the request. Many large organizations require the highest levels of management to sign off on such requests to discourage exceptions to policy. |
If passwords on the system are easy to guess, it is more likely that an attacker will be able to break into that account, obtaining unauthorized access to the system and its resources. A key mitigating control for many organizations is the use of two-factor authentication.
All accounts should have passwords. The methods used to test these controls depend on the password-provisioning process and controls enabled on the servers and active directory. At a minimum, you should review system settings that provide password controls such as those mentioned in the next step.
There are several ways to retrieve and test Windows password hashes. However, be careful and play it safe. Password dump, or pwdump, is one commonly used tool to dump password hashes from systems (download information below). It works well, and you should take a look at it. However, even the latest version may have problems on your server, crashing your system. This has happened to organizations that tweaked the internals of the server. Test everything in a nonproduction environment first!
Note | You can download pwdump6 directly from http://www.foofus.net/fizzgig/ pwdump or visit http://www.openwall.com/passwords/microsoft-windows-nt-2000-xp-2003 for this and many other cracking utilities. |
Perhaps the easiest way to get your SAM and SYSTEM files is to copy them from the C:\WINDOWS\repair directory. Select the files with the CTRL key pressed, and then drag them to another folder or USB drive with the CTRL key still pressed.
As for cracking the passwords, once you have the hashes, you can attempt cracking the passwords with one of the password crackers listed un Table 6-4. Several of them also will take the SAM and SYSTEM files as direct inputs, dump the hashes, and perform the crack.
Cracker | Cost | Comments |
---|---|---|
John | Free | Get it from http://www.openwall.com. It's a fast brute-force cracker. John supports dictionaries and is command line. |
rcrack | Free | Code is originally from Zhu Shuanglei at http://www.antsight.com/zsl/rainbowcrack. Now it's built into a lot of tools such as Cain and Abel (http://www.oxid.it). You must find, generate, or buy tables. |
Ophcrack | Free | It's sometimes buggy, but it's free and very quick. Comes with rainbow tables. It's located at http://www.ophcrack.sourceforge.net. |
plain-text.info | Free | Located online at http://www.plain-text.info. |
Proactive Password Auditor | $300-$2500 | Cost depends on number of user accounts. It's located at http://www.elcomsoft.com/ppa.html. |
SAMInside | $40 | Located at http://www.insidepro.com. You need your own rainbow tables, but the program supports them. |
Password controls are essential to enforcing password complexity, length, age, and other factors that keep unauthorized users out of a system.
you'll find the account policies as they affect your system by typing rsop.msc at the command line. When the window opens, select Computer Configuration | Windows Settings | Account Policies. In general, verify that the policies listed in Table 6-5 are set in accordance with your local policies. Some common settings have been listed.
Policy | Setting |
---|---|
Minimum password age | 1 day |
Maximum password age | 90 -180 days |
Minimum password length | 8 characters |
Password complexity | Enabled |
Password history | 10-20 passwords remembered |
Store passwords using reversible encryption | Disabled, if possible, but really understand and test this before making this decision |
Account lockout duration | 10-30 minutes |
Account lockout threshold | 10-20 attempts |
Reset account lockout after | 10-30 minutes |
You might try using DumpSec to pull account policies, but make sure that it pulls the specific settings you want. DumpSec doesn't gather everything in Table 6-5.