Security Basics mailing list archives
Re: Windows 2000 Administrator lockout
From: Mark Johnson-Barbier <mjb-infosec () mj3 org>
Date: Mon, 16 Aug 2004 23:23:46 -0700
As the saying goes, if you have physical access to the box, you "own" it: Best option I know of: http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html If your server is win2k and uses encrypted files, you should make an unencrypted backup of your data before beginning. Other options that may work (in no particular order): - install another dual-boot version of windows on the box to a different %systemroot% directory (such as c:\winrecover). Boot to the new install OS and rename/delete the file named "sam" (no extension ... it's usually in c:\winnt\system32\config). When you reboot, the local accounts will be back to the default and your "administrator" account password will be blank. Warning: you'll lose all accounts on the box and any app that requires an account may not work ... don't try this with an app that requires an account SID to be the same. - buy the l0phtcrack program and brute-force crack the password. - Log into the server and schedule the command "cmd.exe" to be run 3 minutes in the future as user "system" with desktop interaction. At the appointed time you'll be presented with a command prompt with the authority of "system" (or possibly only with whatever account the scheduler service is running as). After you get a command prompt, you can execute "usrmgr.exe" for NT4 systems or an mmc for win2k. Or you can use cusrmgr.exe to change the password at the command prompt. (it's been a long time since I've done this, so I may have left out some detail). - I seem to remember a local priv escalation where cmd.exe was copied with the same name as the default screensaver. instead of running the screensaver after x minutes of inactivity, a command prompt would appear with system privs. I haven't tried this myself, but it would be a fun way to solve your problem. - I belive sysinternals.com has a way to recover passwords in their adminpack application. I've used Peter Nordahl's application successfully on several win2k workstations and have read from others with success on servers. Also, be kind to your future replacement (after you win the lottery and move to your own private island): Implement a simple procedure to store passwords in a secure location where someone else can "break the glass in case of emergency." If security is a concern, create a new admin account and give half of the password to two different people. They can get together in an emergency to gain access, but they would have to collude to escalate their privs. mjb On Fri, 2004-08-13 at 11:54, Robert Ritchey wrote:
Hello All, The network that I have is rather small. 1 server, and 4 workstations. I inherited the systems. There has been no administrator working there for a little over a year. What administrator that was there, was very much non-technical. When the network was built whoever built the server installed everything they possibly could. This system now how few main functions: 1. File server 2. Internet Gateway 3. Symantec Virus manager Nobody knows any of the passwords for anything on the system. Any of the passwords that are in use are not allowed administrator access. I do mean for anything! I can't even get Symantec to update virus signatures, as I do not have a password to do the update with. The signature is like 2003 date. It is just very frustrating! I am looking for options, before I have to go and reformat and rebuild. This would in some ways make life simpler, there are wrinkles in that all of there operational data and other services are on the server. We are currently moving foreword with a plan to rebuild. This will happen; I would rather pick the time to do it. Rather than have it forced on me. Does anyone know of any other way to take control of this machine and network. Thanks for your time and any ideas will be appreciated. Robert Ritchey --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
-- mjb --------------------------------------------------------------------------- Ethical Hacking at the InfoSec Institute. Mention this ad and get $545 off any course! All of our class sizes are guaranteed to be 10 students or less to facilitate one-on-one interaction with one of our expert instructors. Attend a course taught by an expert instructor with years of in-the-field pen testing experience in our state of the art hacking lab. Master the skills of an Ethical Hacker to better assess the security of your organization. Visit us at: http://www.infosecinstitute.com/courses/ethical_hacking_training.html ----------------------------------------------------------------------------
Current thread:
- Windows 2000 Administrator lockout Robert Ritchey (Aug 16)
- RE: Windows 2000 Administrator lockout Jason Haith (Aug 17)
- Re: Windows 2000 Administrator lockout Bruno Guedes Souto (Aug 17)
- Re: Windows 2000 Administrator lockout fiber (Aug 23)
- Re: Windows 2000 Administrator lockout some guy (Aug 17)
- Re: Windows 2000 Administrator lockout Ansgar -59cobalt- Wiechers (Aug 17)
- Re: Windows 2000 Administrator lockout Mark Johnson-Barbier (Aug 17)
- RE: Windows 2000 Administrator lockout Rob Morgan (Aug 19)
- Re: Windows 2000 Administrator lockout Alexandre Verriere (Aug 23)
- <Possible follow-ups>
- RE: Windows 2000 Administrator lockout adisegna (Aug 17)
- RE: Windows 2000 Administrator lockout Dinis Cruz (Aug 20)
- RE: Windows 2000 Administrator lockout Mark Medici (Aug 18)
- Re: Windows 2000 Administrator lockout jeffry (Aug 23)
- RE: Windows 2000 Administrator lockout Tarun Bansal (Aug 23)
- Re: Windows 2000 Administrator lockout Ansgar -59cobalt- Wiechers (Aug 24)
- RE: Windows 2000 Administrator lockout Ferino Mardo (Aug 23)