ophcrack v2 :|

[Guest]

Hi everyone,
Is it possible to change location of local user’s passwords under Windows
XP?
During this time most of BIOSes allow to change boot order without entering
to bios system. In corporate environments this tool is very dangerous tool :|.

Thanks a lot for any information.
Regards,
Pawel

 

[karl levinson, mvp]

Hi everyone,
Is it possible to change location of local user's passwords under Windows
XP?

No. There are other countermeasures against l0phtcrack [which is no longer
sold, by the way] style attacks. The main countermeasure is good physical
security. Without physical security, any OS can be cracked, not just
Windows. Another countermeasure is entire hard drive or partition
encryption [not EFS]. Another countermeasure is setting a BIOS / CMOS
password and either locking the case with a physical lock, or configuring
the system to alert you when the case has been opened.

During this time most of BIOSes allow to change boot order without
entering
to bios system. In corporate environments this tool is very dangerous tool
:|.

If you've got an intruder walking your halls, you arguably have bigger
problems. But people have been implementing these countermeasures for years
to reduce the risk to an acceptable level.

 

[Miha Pihler [MVP]]

Hi Pawel,

I agree completely with what Karl wrote.

The problem of having physical access is not limited to operating systems,
but it also extends to hardware devices (e.g. switches, routers and
appliances). As long as I have physical access to these devices I "own"
them...

Think about what Karl suggested and set boot order in BIOS and then lock the
BOIS down. There is another "tool" that you can use - security policy. Write
a policy which will prohibit changing of local password by unauthorized
users. If the rule is broken -- fire the person.

 

[Guest]

Thanks a lot Mike and Karl,

I know basics of security. Problem basis on this that some users in network
must have access to cd drives. If i will change BIOS boot order and look down
the bios it not solution because most of main boars bioses allowing to change
boot order without entering to BIOS. For ex. F8 key and there is no option to
block this in BIOS system I have this kind of PCs in my network
Disk encryption it is solution but in my country it is very expensive
solution .
Writing policy is no solution too because this tool decrypting user
passwords, user will have original local administrator password in 1 min.
(even if it is strong password). For what hi will need to change password if
will know original password...
At least i have servers in secured room but securing workstations are the
problem.
Thanks a lot again for your help guys but I think Microsoft should write
very fast some security patch…

Pawel
MCSE,MCSDBA

Thanks a lot again for your hep

 

[Miha Pihler [MVP]]

Hi,

You should read this
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

How fast passwords can be broken depends on the length of the password. If
you select complex passwords longer then 14 characters (you should) then
they are stored as NTLM Hash and not LM Hash. In my experience when doing
auditing strong passwords can't be cracked within 90 days. If passwords are
stored as LM Hash -- they can be brute forced within hours...

Still this doesn't mean much because as long as you allow users to boot from
CD -- they can simply reset the passwords to new value and not bother with
the old one - but then again this is problem with all operating system and
devices where you can't limit physical access.

You can also use Passgen tool from
http://www.protectyourwindowsnetwork.com/tools.htm and have different local
administrator password on each computer on LAN.

How to prevent Windows from storing a LAN manager hash of your password in
Active Directory and local SAM databases
http://support.microsoft.com/kb/299656/

 

[karl levinson, mvp]

Hi,

You should read this
http://www.microsoft.com/technet/prodtechnol/windowsserver2003/technologies/security/bpactlck.mspx

How fast passwords can be broken depends on the length of the password. If
you select complex passwords longer then 14 characters (you should) then
they are stored as NTLM Hash and not LM Hash. In my experience when doing
auditing strong passwords can't be cracked within 90 days. If passwords
are stored as LM Hash -- they can be brute forced within hours...

I forgot to mention this as well... If you are concerned about brute force
attacks on local accounts, then make sure that local accounts either have a
special non-printable character in them, or are at least 8 to 14 characters
long.

Of course, there is another valid school of thought that says that it is
better security to allow 4 or 5 character long passwords, because those are
long enough to prevent password guessing via the local keyboard, without
making users write down passwords on notes under keyboards that end up in
dumpsters in the alley, and that if someone has your SAM, they already by
definition have full admin privileges on the system and all files on it
anyways.

How to prevent Windows from storing a LAN manager hash of your password in
Active Directory and local SAM databases
http://support.microsoft.com/kb/299656/

This is good too.

 

[karl levinson, mvp]

I know basics of security. Problem basis on this that some users in
network
must have access to cd drives. If i will change BIOS boot order and look
down
the bios it not solution because most of main boars bioses allowing to
change
boot order without entering to BIOS.

I've never heard of this, but I'll have to take your word for it.

Well, if your users require the ability to boot from a CD, that's a risk
you'll have to accept. No OS can survive that.

For ex. F8 key and there is no option to
block this in BIOS system I have this kind of PCs in my network
Disk encryption it is solution but in my country it is very expensive
solution .

I'm confused. Aren't there free disk encryption solutions out there?

Well, if you really wanted to protect against local SAM attacks via a boot
CD, you could run the SYSKEY command to enable syskey encryption of the SAM
that requires the user to enter a password every time the system boots. A
bit of a pain, but then increased security sometimes means increased pain
and effort.

Writing policy is no solution too because this tool decrypting user
passwords, user will have original local administrator password in 1 min.
(even if it is strong password).

No, if the admin password is not stored as an LM hash format, and it either
contains a special non-printable character such as ÿ e.g. ALT-0255, or is
longer than 10 characters, cracking the local admin password becomes a
significant, maybe insurmountable challenge, even with current rainbow
tables.

Thanks a lot again for your help guys but I think Microsoft should write
very fast some security patch.

There really isn't much Microsoft can do about this, it's a security issue
in the hardware, the firmware, and it impacts all OSes. There are ways to
defend against it, but it can increase your pain and decrease your
functionality.

I think adding salt to the SAM hashes [even as simple as the SID or user
name] would help prevent rainbow tables and other kinds of brute force
attacks, but some experts at Microsoft have argued against this, and have
won for now. I believe part of the argument is that if someone owns your
SAM, they have already owned your box. I'm not sure I agree entirely with
this logic here, because a password on one system can give an attacker
access to other systems, for example.

 

[Kevin D. Quitt]

I take my computer out into the field, including to customer sites, so I like to have it
locked down as tight as possible. I have my BIOS set with a power-on password, but if you
time it right, you can hit escape and get the boot-from menu. I've pointed this out to
the vendor, who seemed rather surprised by the whole thing.

 

[Steven L Umbach]

If you need to give some users access to cd drive then that is a risk you
take. Out of curiosity what is your concern of a user becoming local
administrator of their computer? I am not saying that is not a problem but
it should not cause compromise of your domain or member servers if you are
following other best practices.

Steve