So, users have the minimum privileges necessary for work. But if after installing the OS they forgot to disable the ability to boot from removable media: floppy disks or CDs in BIOS Setup, then getting the local administrator name and password by booting from an alternative OS is not a problem.
The source of information for this is the Security Account Manager database file. If on Windows 2000 domain controllers the hash codes of user passwords are stored in an encrypted form in the Active Directory directory service database, then on workstations and servers the location of the hash codes remains, as in previous versions of the OS, in the sam file, which is located in the folder C: Winntsystem32config. Access to this file during operation is blocked by the system, but when booting from an alternative OS, this lock does not work. And to get full access to the system, just delete this file! In this case, the password of the local administrator will be reset, and all user budgets of the local system will be deleted and the access lists of the NTFS file system will be lost.
But if you need to implement a more elegant attack without attracting the attention of IT staff? There are also such opportunities.
Passwords in the Window system are not stored in clear text. Moreover, in Windows NT 4.0 and Windows 2000 passwords are encrypted in a fairly reliable way. However, for compatibility with other network clients (Windows 95, Windows for Workgroup, Lan Manager), along with the hashed Windows NT password value, the hashed password value in the Lan Manager standard is stored in the SAM database. This password is much less resistant to cracking. As a rule, it is he who is exposed by widespread programs.
In Windows 2000, the task of unrecognized geniuses is complicated by the fact that, unlike Windows NT 4.0, the sam file is encrypted by default using the new SYSKEY algorithm. Therefore, an attempt to copy a file, and then obtain password hashes from it and crack them using the well-known utility LOphtcrack (LC4 version is now available), as it easily happened in Windows NT 4.0, will fail. But, as you know, what one person did, the other can always break. And here is the chntpw utility written by Peter Nordal-Hagen, which allows you to change user passwords stored in the sam file. But anyone will ask right there, what about encrypting password hashes with a 128-bit SYSKEY utility key? How can I change my password without knowing the key? Peter Nordal-Hagen found out how to disable this protection. But this is not all – he solved this problem even easier – he did not break the wall, but simply walked around it! It turns out that when you add hash codes generated by the old algorithm to the sam file, they are not considered invalid, but are automatically encrypted when the system is rebooted. The chntpw utility removes the encrypted password hash of the desired user from the sam file, asks for a new password, generates a hash code using the old learned algorithm, and writes it to the file. It only remains to reboot and register in the system with a new password! Moreover, Peter Nordal-Hagen offers not only a utility, but also a bootable floppy disk with Linux OS, which is specially configured to connect Windows NT / 2000 system disks and change the administrator password.
The problem of resetting the local administrator password can be solved using the SYSKEY utility. To do this, just change the default SYSKEY key usage mode. By default, the key used to encrypt the hash functions of the SAM database is stored in the registry in the clear. You need to change this setting so that it is additionally locked with a password or export it to a floppy disk.
The only effective way to deal with the chntpw utility is to provide physical security for workstations by disabling boot mode from removable media in the BIOS, closing the BIOS Setup password and blocking the computer case from unauthorized access to prevent BIOS reset.