fully agree
/Guido From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Perdue David J Contr InDyne/Enterprise IT Sent: Thursday, November 18, 2004 1:05 AM To: '[EMAIL PROTECTED]' Subject: RE: [ActiveDir] Syskey and AD Sorry, but except for
a backup during a migration or the like, of what use is a DC if it's not
running? ;) I had an NT4.0 domain with SYSKEY enabled. When
our network security folks needed to test accounts for password strength using
l0phtcrack we had to use rdisk to provide them a copy of the unencrypted sam
that they could then run l0phtcrack against. That led me to believe that
just because the DC is running, the sam isn't automatically
decrypted. I'm not saying that
encrypting the sam isn't a good idea. I'm saying that it isn't the end all
be all of security. As you said, Guido, reboot to an alternate OS like
Nordahl's disk does. Or string together one of the myriad of
vulnerabilities of the Windows platform to gain access to an admin session or
use an elevated privileges attack from a client and then use rdisk remotely in
an NT 4.0 environment, take the unencrypted sam offline and crack it at will and
come back in with a legitimate account. Heck, if it's an NT4.0
environment, Exchange 5.5 is probably used and Exchange is nice enough to cache
the Exchange Service account and password unencrypted in the registry of systems
with the Exchange Console installed. And if anyone doubts either, I had a
white hat team do both to me. I think everyone
realizes that security now a days isn't a case of keeping someone determined out
indefinitely, but out long enough to find out they are there and catch/stop
them. Dave ------------------------------------------------ From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Grillenmeier,
Guido <Just make a
recovery disk with the /r (I believe) option would export a readable copy of the
sam> that's only valid
when the machine is running (and thus the SAM is decrypted) and you already have
admin access to it. In the case of "only" having physical access but no
account, you'd not have this option and thus you'd reboot the machine to startup
another OS or do something similar to get at the SAM - in this case it would be
still be encrypted with the locally stored key. Storing that key offline
would add your extra protection with all the hassles involved with mgmt of that
offline key and handling the boot-process. For companies with
very high security requirements that still need to put DCs in "unsafe" locations
for various reasons, storing the key offline may be a valid option to further
secure the DC (or any other server as a matter of fact). If you have the right
server-HW, you should be able to create disk-images for each machine
containing that key and if the server has something linke an ILO board you can
remotely mount that image during boot-time. Still a lot of stuff to
manage, but all possible remotely. /Guido From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Perdue David J Contr
InDyne/Enterprise IT Even with SYSKEY
enabled on a NT DC the sam can still be cracked with l0phtcrack or the other
tools. Just make a recovery disk with the /r (I believe) option would
export a readable copy of the sam. We would have to do it for our security
folks to test password strength every so often. Honestly, I don't
believe it matters what version of the Windows OS you use. If you have
physical access to the system, you win. Dave
------------------------------------------------ From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Geary, Simon
(Computer People) I would suggest the
Windows 2003 (and 2000 and XP) SAM is more secure than NT as it is encrypted
with a locally stored key by default. The Syskey process allows you to store
that key on a separate floppy disk, thus adding an extra layer of security. In
the NT SAM, the encryption is not on by default but can be added with Syskey as
an optional extra so I reckon this makes the 2003 SAM more secure.
If you have ever used
l0phtcrack on an NT SAM you may be scared at how quickly it can rip through all
your passwords (even if it does require an admin account to
run). I accept that one of
the golden rules of security is that if the bad guy has physical access to your
machine it's not your machine any more but a 128bit encryption key will take
some time to crack, giving some breathing space to take action. Especially as
the Syskey password needs at least 12 characters and should contain all sort of
numbers, letters, squiggles and hieroglyphics. The rainbow tables needed to
crack that would probably be many terabytes in
size. Having said all that, I
wouldn't bother using Syskey on my DCs or any other server due to the hassles
you mention. The best idea is just to keep them in a physically secure location
in the first place. From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of joe I don't think I would
say that the SAM is more secure than it is with NT. The issue of being
hacked is still there and still fairly trivial. The syskey can maybe help
depending on the tools used to crack the server and whether it is an attempt to
brute force passwords (or Rainbow crack) or gain access to the box. I don't want
to get very deep into this but if someone has physical access to the machine,
they can own the machine if they so desire - period. Using a user generated
password or floppy (and not keeping the floppy with the machine) with SysKey is
safer but not tremendously so and again, only for someone trying to steal the
password database. Mostly it just adds considerable heartache to management
since you have to be in front of the machine (or using some low level IO
card to redirect console) to start it. Once the local SAM is cracked, it is
one reboot and one more tool away from the DIT being
cracked. Basically if my goal is
to steal your passwords in a quiet way, syskey will help a little as it
adds another 128 bit encryption piece in front of the hashes. If my goal is to
take over your server or domain or forest, syskey doesn't hamper
that.
joe From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Geary, Simon
(Computer People) It's still possible,
but whether or not it will still be necessary with Windows Server 2003 is
another question. The default security of the SAM is higher than with NT. This
page gives you the process. http://support.microsoft.com/kb/310105
From:
[EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
On Behalf Of Rosales,
Mario Is it still necessary to syskey DC's?
On NT 4.0 we always did that. Does the same apply for Windows
2003? ***************************************************************************
The contents of
this communication are intended only for the addressee and may contain
confidential and/or privileged material. If you are not the intended recipient,
please do not read, copy, use or disclose this communication and notify the
sender. Opinions, conclusions and other information in this communication that
do not relate to the official business of my company shall be understood as
neither given nor endorsed by it. ***************************************************************************
|