Protecting SAM and Security Hives phần 1

Protecting SAM and Security Hives Windows NT/2000, Windows XP, and Windows Server 2003 security information is stored in the SAM (Security Accounts Manager) and Security registry hives.
Nội dung trích xuất từ tài liệu:
Protecting SAM and Security Hives phần 1Protecting SAM and Security HivesWindows NT/2000, Windows XP, and Windows Server 2003 security information isstored in the SAM (Security Accounts Manager) and Security registry hives.Note Although starting with Windows 2000, Microsoft has introduced the Active Directory (AD)—arguably the most complex of new technologies, which in some ways represents a further extension of the system registry, the SAM database has retained its importance. In contrast to Windows NT 4.0 domain controllers, where SAM used to be simply a registry hive, on native-mode Windows 2000 and Windows Server 2003 domain controllers, the directory services database is stored in the Ntds.dit file. The SAM is now part of the Active Directory, which serves as a kind of super-registry, storing all user and machine information, as well as a whole host of other types of objects, including group policies and applications. However, the SAM database continues to store local accounts (required to log on locally). Furthermore, if your computer that is running Windows 2000, Windows XP or Windows Server 2003 does not participate in a domain, the SAM database remains the main storage of the user and group accounts information. Among other things, it is important to notice that the Directory Service Restore Mode Administrator password, which is separate from the Administrator password that is stored in the Active Directory, resides in the local SAM (%SystemRoot%\System32\Config\SAM).The SAM hive contains user passwords as a table of hash codes; the Security hive storessecurity information for the local system, including user rights and permissions, passwordpolicies and group membership.Note The SAM information is encrypted. However, there are many utilities that allow you to crack the SAM hive. The most common examples are PWDUMP, NT Crack, and L0phtCrack (at the time of this writing, the latest version was LC4).How to Protect the SAM HiveMicrosoft officially states that the best way to protect Windows NT/2000, Windows XP,and Windows Server 2003 is to protect administrative passwords. This, however, isntenough. Many users can access the SAM and Security hives, including members of theBackup Operators group, whose responsibility is registry backup.By default, no user (not even the Administrator) has the necessary access rights thatwould allow them to access or view the SAM database using the registry editor.However, the SAM and Security hives are stored on the hard disk, the same as all theother files. All you need to do is to get the copies of these files. Of course, you cant dothis by simply copying the registry of the running Windows NT/2000, Windows XP, orWindows Server 2003 system. If you make such an attempt, youll get an error message(Fig. 9.18).Figure 9.18: When an attempt to copy the registry of the running Windows NT/2000,Windows XP, or Windows Server 2003 operating system is made, the system displays anerror messageHowever, there are tools such as Regback included with Windows NT 4.0 Resource Kitand REG included with newer releases of the Resource Kit. By using these tools,members of Administrators or Backup Operators groups can obtain copies of the registryeven if the system is up and running.If Windows NT-based operating system is installed on the FAT volume, then anyone whocan reboot the system and has physical access to the computer can copy the systemregistry. They need only to reboot the system, start MS-DOS or Windows 9x/ME, andcopy the SAM and Security hives from the %SystemRoot%\System32\Config folder.Note If Windows NT/2000, Windows XP or Windows Server 2003 is installed on NTFS volume, you can use the NTFSDOS utility for copying the SAM and Security hives (you can download it from http://www.sysinternals.com/ntfs30.htm). NTFSDOS mounts NTFS volumes under DOS. This utility and its clones (for example, NTFS for Windows 98) cause different, and sometimes negative, reactions (because of the potential risk to the security subsystem). When the first version of NTFSDOS appeared, Microsoft had to state officially that true security is physical security. NTFSDOS, though, is one of the most useful tools for registry backup and recovery and may be very helpful when performing emergency recovery (especially if this has to be done very quickly). After all, whatever can be used for good, can also be used for evil.To summarize, in order to protect the SAM and Security files from unauthorized copying,you need to provide true physical security for the computers you need to protect. Also,dont assign every user the right to reboot the system.Note By default, this privilege is assigned to Administrators, Backup Operators, Power Users, and Users on Windows 2000/XP workstations. On member servers, it is assigned to Administrators, Power Users, and Backup Operators. On domain controllers, it is assigned to Administrators, Account Operators, Backup Operators, Print Operators, and Server Operators.To edit the user permissions in Windows 2000, Windows XP, or Windows Server 2003,log onto the system as a member of the Administrators group, open the Control Panelwindows, start Administrative Tools and select the Local Security Policy option.Expand the MMC tree and select the User Rights Assignment option. The list of userrights will appear in the right pane of this window (Fig. 9.19).Figure 9.19: The list of user groups allowed to reboot the system (Windows Server 2003domain controller)Now, can we say that the Windows NT-based system is secure? No, we cant, becausethere are backup copies of the registry. In Windows NT 4.0, backup copies of the registryare created immediately after a successful setup or whenever you start the Rdisk/sc ...