June 18 2015

Why we need to keep Domain Controllers physically secure



----------------------------------------------------------------------------
I use a maximum of one Google Ad per post to help offset some of my blog hosting costs.

----------------------------------------------------------------------------

This purpose of this post is to highlight another reason we need to keep Domain Controllers physically secure – in fact the principle here also applies to standard Windows Servers too.

My home test lab had been powered down for a few months and I’d forgotten my Domain Administrator password. I knew there was a method to log onto a Windows Server without a username and password back in Windows Server 2003 and I thought that surely this still wouldn’t work with Windows Server 2012 R2 – however to my horror it still did. Here is how I reset my Domain Administrator account password – scary stuff!

Forgotten password
Forgotten password
Forgotten password
Forgotten password

So I’d forgotten my Domain Administrator password. Time to attach the Windows Server 2012 R2 ISO to the VM.

Attach ISO
Attach ISO

Adjust the boot order to force booting from ISO first.

Boot to DVD/ISO

Restart the VM and boot to the DVD/ISO. Click Next on the first setup screen. On the following screen make sure you select “Repair your computer”.

Next
Next
Repair your computer
Repair your computer

Then click on “Troubleshoot” followed by “Command Prompt”

Troubleshoot
Troubleshoot
Command Prompt
Command Prompt

You will now be presented with a Command Prompt.  Change your directory to c:\Windows\System32.  Then rename the Utilman.exe executable by running the command “ren Utilman.exe Utilman.exe.old”.  Then make a copy of cmd.exe named Utilman.exe using the command “copy cmd.exe Utilman.exe”.  See below screenshot.

Replace Utilman
Replace Utilman

Close the command prompt and restart the machine, booting back into the regular Windows logon screen.  Once the logon screen is presented, press the “Windows Key” and “U”.  Much to your horror you will see a Command Prompt appear. If you check Task Manager, you will see that the Command Prompt (executable called Utilman.exe) is running in the SYSTEM context.  Given that this is a Domain Controller, effectively this mean the commands run within the Command Prompt are executed with the Domain Admin permission level.

SYSTEM context
SYSTEM context

To reset the Domain Administrator account password, we simply need to run the “net user Administrator password” command.

Reset password

You can now close the Command Prompt and log onto the domain with the Administrator account and the newly set password.

I have also seen this work with the Sticky Keys executable (sethc.exe) being replaced instead of Utilman.exe.

 

Once again this highlights why we need to keep our Domain Controllers physically secure – from this demo you can see that anyone with physical access to the server can have control over your entire Active Directory domain in a very short amount of time!

 



----------------------------------------------------------------------------
I use a maximum of one Google Ad per post to help offset some of my blog hosting costs.

----------------------------------------------------------------------------

May 4 2015

Microsoft Local Administrator Password Solution

Microsoft have released a new tool to manage local Administrator account passwords for domain joined machines. The solution automatically creates and manages the password on each managed computer so that it is unique, randomly generated and securely stored in Active Directory. ACLs are then used to allow access to view the password.

More info:

The tool is free!

Microsoft Security Advisory 3062591 – Local Administrator Password Solution (LAPS) Now Available

September 25 2012

Defining multifactor authentication

I was recently having a discussion about the definition of multifactor authentication and what actually constitutes one, two or three factor authentication.  There seems to be confusion around these definitions, so I am posting some industry accepted definitions for all to see or reference.  Authentication methodologies involve three basic “factors”:

  1. Something the user knows (eg. password, personal identification number, personally identifiable information)
  2. Something the user has (eg. smartcard, security token, telephone, signed digital certificate)
  3. Something the user is (eg. fingerprint, voice, retinal pattern, DNA)

 

According to the Federal Financial Institutions Examination Council’s Authentication in an Internet Banking Environment, August 15, 2006, two-factor authentication (aka multifactor authentication) is described as:

 

“By definition true multifactor authentication requires the use of solutions from two or more of the three categories of factors. Using multiple solutions from the same category would not constitute multifactor authentication.”

 

Therefore, two factor (aka multifactor) authentication is a combination of any two of these factors. For example – a fingerprint scan and a password is two factor authentication; a password and a signed computer digital certificate is two factor authentication.  However if you use a password, a signed computer digital certificate, a PIN and a number generated from your RSA SecurID token then you are still using two factor authentication as the identifiers only come from two of the three categories listed above.

There is a great article here (http://pciguru.wordpress.com/2010/05/01/one-two-and-three-factor-authentication/) which discusses this in detail, and it is also worth checking out the PCI Security Standard Council Quick Reference Guide, especially section 8.3 (https://www.pcisecuritystandards.org/documents/pci_ssc_quick_guide.pdf), FFIEC’s Authenitcation Guidance whitepaper (http://www.ffiec.gov/pdf/authentication_guidance.pdf) and Australia’s DSD security advice article (http://www.dsd.gov.au/publications/csocprotect/multi_factor_authentication.htm).

 

 

January 12 2011

Outlook prompting for credentials with Exchange 2007

I saw this issue again today. Outlook 2007 & 2010 were prompting for username and password at startup and randomly during use.

I’ve used this fix a couple of times now. In IIS Manager navigate to the website that contains your Exchange Virtual Directories (In Exchange 2007 this is Default website, in SBS2008 this is SBS Web Applications)

In turn highlight the following Virtual Directories:

AutoDiscover
RPC
EWS
OAB

Once highlighted select Authentication, right click on Windows Authentication and select Advanced Settings and put a check in the enable kernel-mode authentication. Do this for each directory.

Careful as when upgrading to Exchange 2007 Service Pack 3, it reset the setting on 2 of the 4 directories, so these needed to be set back to enable kernel-mode authentication.