password encryption

[Patrick]

Where are passwords held on 2000 servers and are they encrypted?

 

[Miha Pihler]

Hi Patrick,

password are stored in SAM database and in system registry. They are
encrypted with one way MD4 or MD5 hasing function (depends on operation and
environement...).

SAM database is located here

%systemroot%\system32\config

In the end it is up to the users to have strong - hard to guess password. No
encryption will help if users use empty or easy to guess passwords....



I hope this helps,


Mike

 

[Patrick]

Mike ,
thanks for the quick response. If I look in the registry for password,
it should be unreadable? what key are they in?

also would you know how to check for inactive user accounts older then
a certain age in a system , say 90 days.

thanks

 

[Miha Pihler]

HKEY_LOCAL_MACINE\SECURITY\SAM\Domains\Account\Users\

But you won't be able to see these keys (beyond SECURITY) by default. You
have to take permissions first. Only SYSTEM is allowed to access to this
part of the registry!

Question about accounts and 90 days. Do you have domain accounts in mind? If
yes, what domain do you have? Windows 2000 or 2003? ...

Mike

 

[Patrick]

I'm looking at W2k for inactive domain accounts thanks

 

[Miha Pihler]

User's information in active directory environment is stored in ntdis.dit
file. There is nothing (that I would know of) in the registry.

Only when client logs on his credentials are stored locally in registry
(look at my previous response)

Mike

 

[Steven L Umbach]

A couple thinks that may help.

Download the free dumpsec tool from SomarSoft and run it using the reports/dump users
as a column and select the last logon time option in the right column. Do this on a
domain controller and it will show all users last logon time.

http://www.somarsoft.com/

To specifically search for users with specific stale account time limits you can use
the AD command line tools from Windows 2003. For instance you can use dsquery user
with the -inactive switch to find those users with inactive accounts based on number
of weeks. You can use the AD tools to manage a W2K domain from an XP SP1 domain
member computer with adminpak from Windows 2003 installed on it. --- Steve

http://www.jsiinc.com/SUBO/tip7300/rh7330.htm
http://www.microsoft.com/windowsxp/...sxp/home/using/productdoc/en/dsquery_user.asp

 

[Patrick]

Mike,
When a user logs on to a WS in a W2K Environment with AD. Is his
password Encypted going across the wire by default using MD5? Is this
a standard of W2K?
thanks

 

[Joe Richards [MVP]]

The password doesn't go across the wire during a logon. If the logon uses
kerberos which would be the default it uses kerberos methods which basically has
the client telling the server who it is and the server sending back something
that only the userid listed could decrypt. You can learn more about kerberos
authentication all over the web, it is pretty heavily documented. If it is NTLM
then it is a fairly similar challenge response mechanism where a nonce is
encoded and the client has to do something with it. This is also pretty well
documented on the web as well as the shortcomings in ntlm.

joe

 

[Patrick]

thanks for the response Joe,

 

[Patrick]

Steven,
Is there a way to ck in W2K with native tools, say ADCU?

 

[Steven L Umbach]

Not that I know of offhand. There are probably scripting options that you can use.
See the link for the TechNet scripting center that has many scripts available.
Usrstat from the Resource Kit will display all users and their last logon time if
that would help. --- Steve

http://www.microsoft.com/technet/scriptcenter/default.mspx
http://www.petri.co.il/download_free_reskit_tools.htm -- get usrstat here

 

[Guest]

check out a tool called hyena. It does what you want graphically. They have a free export tool that exports user data also. I can't remember if it will give you stale passwords, but hyena does.

Kevin