Gaining Administrator Access to Windows XP Professional SP2 System

[Guest]

I downloaded software from http://ebcd.pcministry.com that allowed me to gain
Administrator access to my PC by blanking the administrator password. I
could also use this software to change the password of any user that has a
local account on the computer. The software does this by modifying the
password hashes in the SAM hive of the registry.

I have set policies that require complex passwords, and passwords must be at
least eight characters. However, this seems to only affect creating or
setting passwords within Windows. Apparently, these settings aren't applied
when at the logon prompt, so anyone who has physical access to the computer
using this software could gain complete access to the system.

This is a definite weakness in the Windows security model and should be
corrected. Ideally, the logon process should not allow a user to enter a
password that doesn't meet the policies set in Local Computer Policy, even if
the password is the valid password for the account.

 

[Shenan Stanley]

I downloaded software from http://ebcd.pcministry.com that allowed
me to gain Administrator access to my PC by blanking the
administrator password. I could also use this software to change
the password of any user that has a local account on the computer.
The software does this by modifying the password hashes in the SAM
hive of the registry.

I have set policies that require complex passwords, and passwords
must be at least eight characters. However, this seems to only
affect creating or setting passwords within Windows. Apparently,
these settings aren't applied when at the logon prompt, so anyone
who has physical access to the computer using this software could
gain complete access to the system.

This is a definite weakness in the Windows security model and
should be corrected. Ideally, the logon process should not allow a
user to enter a password that doesn't meet the policies set in
Local Computer Policy, even if the password is the valid password
for the account.

Physical access + time + know-how, no matter the operating system - is
owning the machine and all non-encrypted data within fairly easily. That's
why the first rule in system security is still physical security.

 

[Shenan Stanley]

I downloaded software from http://ebcd.pcministry.com that allowed
me to gain Administrator access to my PC by blanking the
administrator password. I could also use this software to change
the password of any user that has a local account on the computer.
The software does this by modifying the password hashes in the SAM
hive of the registry.

I have set policies that require complex passwords, and passwords
must be at least eight characters. However, this seems to only
affect creating or setting passwords within Windows. Apparently,
these settings aren't applied when at the logon prompt, so anyone
who has physical access to the computer using this software could
gain complete access to the system.

This is a definite weakness in the Windows security model and
should be corrected. Ideally, the logon process should not allow a
user to enter a password that doesn't meet the policies set in
Local Computer Policy, even if the password is the valid password
for the account.

Physical access + time + know-how, no matter the operating system -
is owning the machine and all non-encrypted data within fairly
easily. That's why the first rule in system security is still
physical security.

Thought other links might interest you...

Hack your password:
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

Another:
http://www.thomasmathiesen.com/itak/html/software.html

LCP
http://www.lcpsoft.com/english/

John the Ripper
http://www.openwall.com/john/

L0phtCrack is/was popular as well - but I couldn't find the link quickly
(Symantec owns it.)

How to create and use a password reset disk for a computer that is not a
domain member in Windows XP
http://support.microsoft.com/kb/305478

 

[Guest]

Physical access + time + know-how, no matter the operating system - is
owning the machine and all non-encrypted data within fairly easily. That's
why the first rule in system security is still physical security.

I agree that physical security must be the first priority. However, what
happens when your laptop is stolen and someone is then able to gain access to
the system? Even if the laptop has a BIOS password set, those are still easy
to bypass. Would you want your data at risk because Microsoft has a flawed
security model? I don't.

Stephen

 

[Shenan Stanley]

I downloaded software from http://ebcd.pcministry.com that allowed
me to gain Administrator access to my PC by blanking the
administrator password. I could also use this software to change
the password of any user that has a local account on the computer.
The software does this by modifying the password hashes in the SAM
hive of the registry.

I have set policies that require complex passwords, and passwords
must be at least eight characters. However, this seems to only
affect creating or setting passwords within Windows. Apparently,
these settings aren't applied when at the logon prompt, so anyone
who has physical access to the computer using this software could
gain complete access to the system.

This is a definite weakness in the Windows security model and
should be corrected. Ideally, the logon process should not allow a
user to enter a password that doesn't meet the policies set in
Local Computer Policy, even if the password is the valid password
for the account.

Physical access + time + know-how, no matter the operating system -
is owning the machine and all non-encrypted data within fairly
easily. That's why the first rule in system security is still
physical security.

Thought other links might interest you...

Hack your password:
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

Another:
http://www.thomasmathiesen.com/itak/html/software.html

LCP
http://www.lcpsoft.com/english/

John the Ripper
http://www.openwall.com/john/

L0phtCrack is/was popular as well - but I couldn't find the link
quickly (Symantec owns it.)

How to create and use a password reset disk for a computer that is
not a domain member in Windows XP
http://support.microsoft.com/kb/305478

I agree that physical security must be the first priority.
However, what happens when your laptop is stolen and someone is
then able to gain access to the system? Even if the laptop has a
BIOS password set, those are still easy to bypass. Would you want
your data at risk because Microsoft has a flawed security model? I
don't.

If you lose your laptop, leave a door unlocked, whatever - it doesn't matter
WHAT OS you have - any unencrypted data is owned if the person wants it, has
time and some know-how. *nix, MacOS, Windows - doesn't matter. If you did
not take steps beyond the logon password to protect your data from prying
eyes - and lapsed on physical security or lost your laptop/thumb
drive/whatever - then you are digging your own grave. Passwords never have
been more than a nuisance to a hacker unless they are associated with some
form of data encryption as well.

*You* have to be responsible for the safety of your data.
Encrypt it. That's pretty much the safest method these days for situation
like you describe.
Be sure you understand the encryption model you use (and how to
backup/restore the keys, certificates, etc.)
Windows XP Professional and supersets thereof has this ability built in.

 

[Guest]

If you lose your laptop, leave a door unlocked, whatever - it doesn't matter
WHAT OS you have - any unencrypted data is owned if the person wants it, has
time and some know-how. *nix, MacOS, Windows - doesn't matter. If you did
not take steps beyond the logon password to protect your data from prying
eyes - and lapsed on physical security or lost your laptop/thumb
drive/whatever - then you are digging your own grave. Passwords never have
been more than a nuisance to a hacker unless they are associated with some
form of data encryption as well.

*You* have to be responsible for the safety of your data.
Encrypt it. That's pretty much the safest method these days for situation
like you describe.
Be sure you understand the encryption model you use (and how to
backup/restore the keys, certificates, etc.)
Windows XP Professional and supersets thereof has this ability built in.

I do encrypt my data, and I did not create any Designated Recovery Agent for
EFS. Otherwise, if I did lose the laptop and someone gained Administrator
access to the system, that person could then decrypt my data. Even if the
Administrator account is not a Designated Recovery Agent, someone could
simply change the passwords of every user account on the system, log in to
each one, and attempt to decrypt the data. If another user account was a
Designated Recovery Agent, eventually the encrypted data would become
accessible.

Stephen

 

[Guest]

If you lose your laptop, leave a door unlocked, whatever - it doesn't matter
WHAT OS you have - any unencrypted data is owned if the person wants it, has
time and some know-how. *nix, MacOS, Windows - doesn't matter. If you did
not take steps beyond the logon password to protect your data from prying
eyes - and lapsed on physical security or lost your laptop/thumb
drive/whatever - then you are digging your own grave. Passwords never have
been more than a nuisance to a hacker unless they are associated with some
form of data encryption as well.

*You* have to be responsible for the safety of your data.
Encrypt it. That's pretty much the safest method these days for situation
like you describe.
Be sure you understand the encryption model you use (and how to
backup/restore the keys, certificates, etc.)
Windows XP Professional and supersets thereof has this ability built in.

I also agree that passwords provide a false sense of security. However,
most people only rely on passwords for security and don't use any type of
encryption. When was the last time you heard Microsoft advertising data
encryption as a feature of their operating systems? Microsoft's file
encryption implementation almost guarantees that only advanced users would
take advantage of it. Otherwise, it wouldn't be "hidden" in the Advanced
properties page for files or folders.

My point is that Microsofts's security model fails when someone can gain
unauthorized physical access to a computer, and Microsoft needs to design for
that.

Stephen

 

[Shenan Stanley]

I downloaded software from http://ebcd.pcministry.com that allowed
me to gain Administrator access to my PC by blanking the
administrator password. I could also use this software to change
the password of any user that has a local account on the computer.
The software does this by modifying the password hashes in the SAM
hive of the registry.

I have set policies that require complex passwords, and passwords
must be at least eight characters. However, this seems to only
affect creating or setting passwords within Windows. Apparently,
these settings aren't applied when at the logon prompt, so anyone
who has physical access to the computer using this software could
gain complete access to the system.

This is a definite weakness in the Windows security model and
should be corrected. Ideally, the logon process should not allow
a user to enter a password that doesn't meet the policies set in
Local Computer Policy, even if the password is the valid password
for the account.

Physical access + time + know-how, no matter the operating system
- is owning the machine and all non-encrypted data within fairly
easily. That's why the first rule in system security is still
physical security.

Thought other links might interest you...

Hack your password:
http://home.eunet.no/~pnordahl/ntpasswd/bootdisk.html

Another:
http://www.thomasmathiesen.com/itak/html/software.html

LCP
http://www.lcpsoft.com/english/

John the Ripper
http://www.openwall.com/john/

L0phtCrack is/was popular as well - but I couldn't find the link
quickly (Symantec owns it.)

How to create and use a password reset disk for a computer that is
not a domain member in Windows XP
http://support.microsoft.com/kb/305478

I agree that physical security must be the first priority.
However, what happens when your laptop is stolen and someone is
then able to gain access to the system? Even if the laptop has a
BIOS password set, those are still easy to bypass. Would you want
your data at risk because Microsoft has a flawed security model?
I don't.

If you lose your laptop, leave a door unlocked, whatever - it
doesn't matter WHAT OS you have - any unencrypted data is owned if
the person wants it, has time and some know-how. *nix, MacOS,
Windows - doesn't matter. If you did not take steps beyond the
logon password to protect your data from prying eyes - and lapsed
on physical security or lost your laptop/thumb drive/whatever -
then you are digging your own grave. Passwords never have been
more than a nuisance to a hacker unless they are associated with
some form of data encryption as well.

*You* have to be responsible for the safety of your data.
Encrypt it. That's pretty much the safest method these days for
situation like you describe.
Be sure you understand the encryption model you use (and how to
backup/restore the keys, certificates, etc.)
Windows XP Professional and supersets thereof has this ability
built in.

I do encrypt my data, and I did not create any Designated Recovery
Agent for EFS. Otherwise, if I did lose the laptop and someone
gained Administrator access to the system, that person could then
decrypt my data. Even if the Administrator account is not a
Designated Recovery Agent, someone could simply change the
passwords of every user account on the system, log in to each one,
and attempt to decrypt the data. If another user account was a
Designated Recovery Agent, eventually the encrypted data would
become accessible.

I also agree that passwords provide a false sense of security.
However, most people only rely on passwords for security and don't
use any type of encryption. When was the last time you heard
Microsoft advertising data encryption as a feature of their
operating systems? Microsoft's file encryption implementation
almost guarantees that only advanced users would take advantage of
it. Otherwise, it wouldn't be "hidden" in the Advanced properties
page for files or folders.

My point is that Microsofts's security model fails when someone can
gain unauthorized physical access to a computer, and Microsoft
needs to design for that.

You **should** back up the recovery agent Encrypting File
System (EFS) private key if you are using EFS. It just *should be
done*. Unless you do it in a stupid manner - your data is still
safe..

How to back up the recovery agent Encrypting File System (EFS)
private key in Windows Server 2003, in Windows 2000, and in
Windows XP
http://support.microsoft.com/kb/241201/

Notice this part:
"Important - After you export the private key to a floppy disk
or other removable media , store the floppy disk or media in
a secure location. If someone gains access to your EFS private
key, that person can gain access to your encrypted data."

So yeah - if you store said media with the machine - sure, the
person who now has your laptop/control of your physical computer
will have an easier time of recovering your data.

Perhaps you should read this document:

Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316/

As it seems like you are not following the best practices at
all.. particularly:

"Teach users to export their certificates and private keys
to removable media and store the media securely when it is
not in use. For the greatest possible security, the private
key must be removed from the computer whenever the computer
is not in use. This protects against attackers who physically
obtain the computer and try to access the private key. When
the encrypted files must be accessed, the private key can
easily be imported from the removable media."

You have to know how to use the tools properly before they
become useful. EFS is advertised in Windows XP Professional.
It is indeed listed as one of the differences in almost all
comparison charts I have seen. It's dangerous - because most
people do not bother to read the best practices guide or even
the built-in help on the subject before using it - end up
losing data because they have no backup agent - didn't know
you even should have one and redo their system and can no
longer (ever) access their data. You can search the Internet
for the stories of people who have done this - and THEN
learned how to properly use the tools.

Someone gains physical access to your data and it is not
encrypted and/or you did not follow the best practices for
encryption - then it's theirs.. No matter who designed the
operating system. When you lose your wallet - everything
in there is the finders'. That's probably why you are more
careful with your wallet and follow some common sense rules
when you have large amounts of cash in it. Same thing with
your computer security.

When does the design of better protection end and the use of
more common sense and education of the end-user begin?
A good method of protection without learning its proper usage
is almost as worthless as using no protection at all.

 

[Malke]

I also agree that passwords provide a false sense of security.
However, most people only rely on passwords for security and don't use
any type of
encryption. When was the last time you heard Microsoft advertising
data
encryption as a feature of their operating systems? Microsoft's file
encryption implementation almost guarantees that only advanced users
would
take advantage of it. Otherwise, it wouldn't be "hidden" in the
Advanced properties page for files or folders.

My point is that Microsofts's security model fails when someone can
gain unauthorized physical access to a computer, and Microsoft needs
to design for that.

Stephen, you're completely missing the point because you don't
understand about computer security. As Shenan told you, any computer
running *any* operating system can be gotten into by someone with:

1) physical access; 2) time; 3) skill; 4) tools.

A better solution for laptops is to look at what a company like Lenovo
(formerly IBM) provides at a *hardware* level. If one uses the full
protection available, it doesn't matter *what* operating system is in
use - the laptop will not be accessible even with a new hard drive and
the hard drive will not be accessible even in a different computer.

This is not an operating system issue.

Malke

 

[coal_brona]

Hi,

login password can be reset using Active@ Password Changer tool. That
is a really useful tool that never failed me before and worked simply
great. It literally saved me before in a situation when the password
was lost or forgotten.

http://www.password-changer.com/

 

[Guest]

You **should** back up the recovery agent Encrypting File
System (EFS) private key if you are using EFS. It just *should be
done*. Unless you do it in a stupid manner - your data is still
safe..

How to back up the recovery agent Encrypting File System (EFS)
private key in Windows Server 2003, in Windows 2000, and in
Windows XP
http://support.microsoft.com/kb/241201/

Notice this part:
"Important - After you export the private key to a floppy disk
or other removable media , store the floppy disk or media in
a secure location. If someone gains access to your EFS private
key, that person can gain access to your encrypted data."

So yeah - if you store said media with the machine - sure, the
person who now has your laptop/control of your physical computer
will have an easier time of recovering your data.

Perhaps you should read this document:

Best practices for the Encrypting File System
http://support.microsoft.com/kb/223316/

As it seems like you are not following the best practices at
all.. particularly:

"Teach users to export their certificates and private keys
to removable media and store the media securely when it is
not in use. For the greatest possible security, the private
key must be removed from the computer whenever the computer
is not in use. This protects against attackers who physically
obtain the computer and try to access the private key. When
the encrypted files must be accessed, the private key can
easily be imported from the removable media."

You have to know how to use the tools properly before they
become useful. EFS is advertised in Windows XP Professional.
It is indeed listed as one of the differences in almost all
comparison charts I have seen. It's dangerous - because most
people do not bother to read the best practices guide or even
the built-in help on the subject before using it - end up
losing data because they have no backup agent - didn't know
you even should have one and redo their system and can no
longer (ever) access their data. You can search the Internet
for the stories of people who have done this - and THEN
learned how to properly use the tools.

Someone gains physical access to your data and it is not
encrypted and/or you did not follow the best practices for
encryption - then it's theirs.. No matter who designed the
operating system. When you lose your wallet - everything
in there is the finders'. That's probably why you are more
careful with your wallet and follow some common sense rules
when you have large amounts of cash in it. Same thing with
your computer security.

When does the design of better protection end and the use of
more common sense and education of the end-user begin?
A good method of protection without learning its proper usage
is almost as worthless as using no protection at all.

Thanks for the information. I did export my certificate and private key,
and I checked the box that says to delete the private key if export is
successful. However, will I need to have the removable media containing the
certificate and private key available every time I want to access my
encrypted files?

Stephen

 

[Shenan Stanley]

Thanks for the information. I did export my certificate and
private key, and I checked the box that says to delete the private
key if export is successful. However, will I need to have the
removable media containing the certificate and private key
available every time I want to access my encrypted files?

They are backups - not what it uses all the time.
It's in case something happens (like you password gets changed through
unconventional means, machine gets wiped, etc.) - then you can use the
backup to recover access to your data (if you have it.)

 

[Steven L Umbach]

That was true in Windows 2000 but not in Windows XP. If a local user account
password is reset an attacker will NOT be able to logon with the reset
password and access the EFS encrypted files. Now an attacker could logon as
an administrator, install a password hash cracking program to try and
recover a user's password and then logon with the correct password to access
the files. If you use complex passphrase of at least 15 characters [which
also disables it from being stored with lm hash] then it will become almost
impossible to recover your password. If you export and delete your EFS
private key and assuming non other can decrypt the files then the files are
safe from opening and the only possibility would be to try and brute force
AES 256 encryption which is not going to happen anytime soon. Ideally for
maximum confidentiality you want to run cipher /w after deleting the EFS
private key to overwrite free diskspace to eliminate any traces of the
private key or clear copies of the EFS files if any existed. Users that
logon with cached domain credentials have there passwords stored very
securely and they are not stored in the local sam. I have yet to hear of a
verified successful attempt to recover such though an atacker could resort
to simple guessing and maybe get lucky. --- Steve

 

[Bruce Chambers]

I agree that physical security must be the first priority.

And yet, you don't seem to understand the concept.

However, what
happens when your laptop is stolen and someone is then able to gain access to
the system?

It means that *your* security model was flawed.... Nothing whatsoever
to do with Microsoft or any other operating system maker.





--

Bruce Chambers

Help us help you:



They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety. -Benjamin Franklin

Is life so dear or peace so sweet as to be purchased at the price of
chains and slavery? .... I know not what course others may take, but as
for me, give me liberty, or give me death! -Patrick Henry

 

[Colin Nash [MVP]]

I downloaded software from http://ebcd.pcministry.com that allowed me to
gain
Administrator access to my PC by blanking the administrator password. I
could also use this software to change the password of any user that has a
local account on the computer. The software does this by modifying the
password hashes in the SAM hive of the registry.

I have set policies that require complex passwords, and passwords must be
at
least eight characters. However, this seems to only affect creating or
setting passwords within Windows. Apparently, these settings aren't
applied
when at the logon prompt, so anyone who has physical access to the
computer
using this software could gain complete access to the system.

This is a definite weakness in the Windows security model and should be
corrected. Ideally, the logon process should not allow a user to enter a
password that doesn't meet the policies set in Local Computer Policy, even
if
the password is the valid password for the account.

Like others have said, encryption and/or physical security is the only way
to protect your data.

That said, there is room to improve this. Microsoft is working on a new
feature in the next version of Windows (Vista) so that using encryption is
more seamless and easier to use.

http://www.microsoft.com/technet/windowsvista/library/c61f2a12-8ae6-4957-b031-97b4d762cf31.mspx


Another interesting article:
http://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx