Protection of the Administrator Account in the Offline SAM

Security Whitepapers

Beginner Security Articles

Hacking Articles

IT Certification Articles

Computer How-To's

Web Hosting Tutorials

Network Security Jobs

Consultants Directory

Exploit Articles

Internet Anonymity

General Security

Encryption Information

E-Mail Security

HTTP Protocol Security

Linux Security

Exploit Discussion

Complete PDF Archive of Security Manuals

In The News General Security Information Exploit & Vulnerability Mailing List Archives Product and Program Reviews GSO Tutorials System Security Windows Systems Beginners Section Linux & Unix Systems Trojan & Virus Errata Networking Security / Firewall / IDS / VPN / Routers System Hardening E-Mail Security Wifi Security Trial Member Uploads Upload discovered Trojans & Mal ware (25 posts) The Cork Board Network Security Consultant Directory Network Security Jobs The Archives Encryption Information General Network Security Internet Anonymity HTTP Protocol Security Linux Security MS IIS Information Exploit Articles Programming / Tool Design GSO Software Projects Public Downloads Microsoft Security Questions and Papers
	Database Security (Common-sense Principles)
	Places that viruses and trojans hide on start up
	Step-by-Step Guide to Using the Security Configuration Tool Set
	Improving the Security of Your Site by Breaking Into it
	Domain Name Robbery
	XDCC - An .EDU Admin's Nightmare
	Database Security
	Database Security
	Is Database Security an Oxymoron?
	Database security: protecting sensitive and critical information
	The database security blanket
	Database security in your Web-enabled apps
	Making Your Network Safe for Databases
	SQL Injection: Modes of Attack, Defence, and Why It Matters
	Database Security in High Risk Environments
	Linksys Router Information (A collection)
	Common Ports
	Protection of the Administrator Account in the Offline SAM
	Windows 2000 Security
	The dangers of ftp conversions on misconfigured systems
	Win98.BlackBat
	AnnaKournikova worm decrypted
	C/C++ made easy with GoGooSE 1.0
	UNIX Bourne Shell Programming
	BATCH ProgramminG
	Assembly for nerds using linux
	THE LATEST IN DENIAL OF SERVICE ATTACKS: "SMURFING"
	The Ingredients to ARP Poison
	Outlook 2002: can't send .exe file with Email
	Windows 9x/Me Security and System Restrictions
	Exploiting The IPC Share
	Local Windows hacking
	Windows Cryptic Error Messages
	Windows NT Registry Tutorial
	catch a macro virus
	Protecting Files with Windows NTXP
	Microsoft Baseline Security Analyzer V1.1
	A Beginners Guide To Wireless Security
	Default Logins and Passwords for Networked Devices
	How To Eliminate The Ten Most Critical Internet Security Threats
	About computer crime
	System Backdoor Information
	System Backdoors Explained
	Introduction to Buffer Overflow
	Donald Pipkin's Security Tips for the Week of December 23rd
	Getting IP data from numerous sources
	Rainbow Series Library [The One The Only]
	Honeypots (Definitions and Value of Honeypots)
	General Attack Descriptions
	Wireless Taping
	CYBERTERRORISM
	Security from a different angle

Protection of the Administrator Account in the Offline SAM

By www.microsoft.com
The information in this article applies to:
Microsoft Windows 2000 Server
Microsoft Windows 2000 Advanced Server
Microsoft Windows 2000 Datacenter Server
This article was previously published under Q223301
SUMMARY
This article discusses the security of the offline Security Accounts Manager (SAM) and the accounts in it.

Windows 2000 Domain Controllers store domain user accounts, group memberships and other objects in the Active Directory. The Windows 2000 Backup tool and other third-party backup programs can back up jet-based Active Directory on an online Windows 2000 domain controller.

System maintenance and restoring the Active Directory can only be performed by placing the Active Directory "offline" or in "Directory Services Restore" mode. Directory Services Restore mode, which uses a registry-based SAM accounts database to store the administrator account and other built-in users and groups, represents a different security context than the Active Directory.
MORE INFORMATION
Registry Based SAM Creation
Microsoft Windows NT version 4.0 and earlier store user accounts, machine accounts, and group information in a registry-based SAM. When you upgrade a Windows NT 4.0 primary domain controller (PDC) to Windows 2000, DCPROMO starts at the end of Windows 2000 Setup. Accounts in the SAM are migrated to the jet-based Active Directory. A new registry-based SAM containing the "offline" administrator account (and other built-in accounts needed to recover Windows 2000 domain controllers) is created. Accounts in the registry-based SAM are available only in Directory Services Restore mode by pressing F8 in the early part of the boot process. The registry based SAM is stored in the %SYSTEMROOT%\SYSTEM32\CONFIG folder.

For new Windows 2000 domains, the active directory database is built and populated with a default set of users and groups. The same Windows NT version 4.0 type of registry-based SAM found in the Windows NT upgrade scenario is created in the %SYSTEMROOT%\SYSTEM32\CONFIG folder.
Securing the Offline SAM
The methods of protecting the offline SAM are identical to the methods used in Windows NT 4.0. Administrators looking to secure the offline SAM may consider the following:

Maintain a different password for the administrator in the DS and the administrator account in the offline SAM. As a matter of policy, the password for the administrator account in the Active Directory should be different than the offline administrator account.

The online and offline passwords will become different with the first password change of the Active Directory administrator account.
Evaluate the risk, and then develop a password-changing policy for critical accounts like the offline and Active Directory-based administrator account using strong password guidelines.
The offline SAM is not accessible programmatically when a Windows 2000-based domain controller is running in active directory mode. To implement a strong password change policy for the offline administrator account:

Start the Windows 2000 domain controller into Directory Services Restore mode.
Change the password for the account or accounts.
Start in Active Directory mode.
The effective system-up time for the server becomes the password change interval for the offline administrator account.
Enable auditing of the SAM file located in the %WINDIR%\SYSTEM32\CONFIG folder. Any use other than a system backup or virus scan should be investigated.

NOTE: Do not follow the steps outlined in the following articles in the Microsoft Knowledge Base:

184017 Administrators Can Display Contents of Service Account Passwords

143475 Windows NT System Key Permits Strong Encryption of the SAM

Physical security for computers, emergency repair disks and tape backup media is a critical component in creating any secure environment.

Administrators may experience more loss of service when unable to produce the password for the offline administrator account than to attacks against the offline SAM. Define an internal process for storing and retrieving offline administrator passwords that does not compromise security but makes passwords available for system maintenance and recovery. Consider that servers are typically rebuilt during off-peak hours months or even years after the original installation of the operating system.

You may remotely change the password for the offline same by using Windows NT Terminal Server in remote administration mode and toggling the Boot.ini switch between starting the computer in Offline Restore mode and Active Directory mode.

SETPWD.exe, which is included in Windows 2000 Service Pack 2, and the "Set DSRM Password" command in the .NET Server version of NTDSUTIL.exe allow administrators to change the DS Restore administrator password on a domain controller while the Directory service is online