RE: Where are Local Passwords stored on Win2K

[Meidinger Chris <chris.meidinger () badenit de>]

Nicely written answer! Thank you in the name of the list - this one is going
straight into the special folder of 'things not to lose because they are
worth their weight in gold'

Chris Meidinger
IT Technology and Services

badenIT GmbH
Innovationstechnologie für Ihre Zukunft

Tel. +49 761 279 2280
Fax. +49 761 279 2200

Tullastrasse 70
79108 Freiburg
Deutschland 

-----Original Message-----
From: dave kleiman [mailto:dave () netmedic net]
Sent: Tuesday, October 21, 2003 8:13 AM
To: 'Wilcox, Stephen'; security-basics () securityfocus com
Subject: RE: Where are Local Passwords stored on Win2K 


Steven,

Nobody can tell you what could or could not be obtained if your web server
was compromised without a lot more information.

But you could decrease the likelihood of someone cracking the password file
by.

1.  Making sure that they and the DC are not storing the LM hash of the
password:
MACHINE\System\CurrentControlSet\Control\Lsa\NoLMHash\bar=4,0   For 2000
machine\system\currentcontrolset\control\lsa\nolmhash=4,1   For XP and 2003
Sorry none for NT :(
After you make this change and reboot the system, You must re-apply all the
passwords, until you do the LM hash still exists.

2.  Force the "uncrackable" characters in all non-standard users passwords.
(Admin, Backup Operators, etc..)
See http://www.securityfocus.com/archive/88/312263 for details.

3.  Set your authentication level up to:
machine\system\currentcontrolset\control\lsa\lmcompatibilitylevel=4,5
Forcing the systems to only use NTLMv2 and refusing all others.

4.  Enable forced logoff, protection mode, restrict anonymous and remove
cached logon.

MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForc
edLogOff=4,1
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
MACHINE\System\CurrentControlSet\Control\Lsa\RestrictAnonymous=4,2
machine\software\microsoft\windows
nt\currentversion\winlogon\cachedlogonscount=1,0

5.  Restrict Null Session Access over named pipes:
MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters\NullSessio
nPipes=7,""
MACHINE\System\CurrentControlSet\Services\lanmanserver\parameters\NullSessio
nShares=7,""
Unless there are some you need??

6.  Force SMB signing:
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableSecu
ritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\RequireSec
uritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\Enabl
eSecuritySignature=4,1
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\Requi
reSecuritySignature=4,0
You mat want to read a little on this if you have pre 2000 systems.

7.  Enable Idle force logoff and protection mode
MACHINE\System\CurrentControlSet\Control\Session Manager\ProtectionMode=4,1
MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters\EnableForc
edLogOff=4,1
machine\system\currentcontrolset\services\lanmanserver\parameters\autodiscon
nect=4,15
MACHINE\System\CurrentControlSet\Services\LanmanWorkstation\Parameters\Enabl
ePlainTextPassword=4,0

7.  Require secure channel integrity checking:

MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SignSecureChan
nel=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\SealSecureChan
nel=4,1
MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters\RequireSignOrS
eal=4,1



Or if you feel like it Force Kerberos authentication.


Hope this helps,


 
_____________________
Dave Kleiman
secure () netmedic net
www.SecurityBreachResponse.com

"High achievement always takes place in the framework of high expectation."
Jack Kinder

 
-----Original Message-----
From: Wilcox, Stephen [mailto:StephenWilcox () universalcomputersys com] 
Sent: Monday, October 20, 2003 16:40
To: security-basics () securityfocus com
Subject: Where are Local Passwords stored on Win2K 


Hello, I'm looking for some information.  Walking through security =
compromises within our network.  Let me explain, I have two web server = in
a cluster on the DMZ.  they talk to a SQL cluster on the internal = network.
These two SQL server are not a member of the AD. =20

My boss want to know the good, bad, and ugly for making them members of =
the AD.

If someone compromised a WEB server, would they be able to find the = local
cached passwords that are stored on the box and decrypt them?  = Then login
to the web server with the AD account, and use a tool like = LDP to gather
AD DC information, and all pc's and usernames.

Where would I locate the cached stored password to see if the risk is = too
great to allow.

I know PWDUMP3 will get the SAM but I'm looking for the location of the =
stored cached password.

I also know if the local admin password is compromised then a key logger =
can be installed to gather the information anyway, but need the other =
information for my report.



---------------------------------------------------------------------------
FREE Whitepaper: Better Management for Network Security

Looking for a better way to manage your IP security?
Learn how Solsoft can help you:
- Ensure robust IP security through policy-based management
- Make firewall, VPN, and NAT rules interoperable across heterogeneous
networks
- Quickly respond to network events from a central console

Download our FREE whitepaper at:
http://www.securityfocus.com/sponsor/Solsoft_security-basics_031015
----------------------------------------------------------------------------

---------------------------------------------------------------------------
Visual & Easy-to-use are not words that you think of when talking about
network analyzers. Are you sick of the three window text decodes? Download ClearSight Network's Analyzer and see a new 
network analysis tool that
makes the complex - easy
http://www.securityfocus.com/sponsor/ClearSightNetworks_security-basics_031021
----------------------------------------------------------------------------