Why Physical Security is Important
By Rodney Buike
Physical security of you server is an important, but often overlooked part of the entire security checklist. If unauthorized personnel gain access to the physical machine, game over. I have heard many excuses, "no one wants to steal this old server", "they'll never get out the door with it", it takes too long to crack passwords and we have account lockouts set" etc....... It is true that no one may want to steal the actual hardware, but getting control of it can be just as damaging.
Resetting the local machine password is easy and there are a wide variety of tools available to do it. I personally like Locksmith, which is included with ERD Commander from Winternals, but there is a free version called NTPasswd that also works great. These will allow you to gain access to the local machine but the domain admin password is a little more involved.
Before we can begin, there are a few prerequisites; you need the local machine administrator username and password, which we just went over, CMD.EXE, SRVANY.EXE and INSTSRV.EXE from the resource kit (CMD.EXE is located in systemroot%\System32). With these in hand we are ready to begin. The first bit is for Windows Server 2003 only; I will cover Windows 2000 in a few minutes.
With the local admin username and password in hand the first step is to reboot the DC and enter into Directory Services Recovery Mode. Press F8 after POST but before the boot logo appears and then select the Directory Services Recovery Mode from the list. When the login screen appears, login with the local administrator username and password. You must enter the local admin username and password because Active Directory is disabled in Directory Services Recovery Mode.
Create a folder on C:\ called RecoverPWD and copy CMD.exe SRVANY.exe and INSTSRV.exe to this folder. Open up a command prompt and type:
C:\RecoverPWD\INSTSRV.exe RecoverPWD "C:\RecoverPWD\SRVANY.exe" Press Enter
This will install a new service called RecoverPWD.
Now we need to configure the properties of the service. To do this we need to edit the registry. Run regedit and browse to:
We need to create a subkey called "Parameters" and under this we need to create two values.
value: /k net user NewAdmin P@55Word /domain
Close regedit. From a command prompt run Services.msc and locate RecoverPWD in the list. Ensure it is set to Automatic.
Reboot the DC and let it start normally, once the login screen appears login with username NewAdmin and password P@55Word. Now that you have logged on as a domain administrator, you can reset the original domain administrator password. Once you have reset the original domain admin password, delete the NewAdmin account and remove the RecoverPWD service.
To remove the service open up a command prompt and type:
net stop RecoverPWD
sc delete RecoverPWD
On Windows 2000 DC's its even easier! Reboot the server and enter Directory Services Repair Mode. Login to the DC with the local machine administrator username and password. Launch regedit and browse to:
Change the following values:
SCRNSAVE.EXE - change from logon.scr to cmd.exe
ScreenSaveTimeout - change from 900 to 10
ScreenSaveActive - change to 1
Close the registry editor and reboot the server, when the logon screen appears waiting 10 seconds, the logon screensaver will start and CMD.exe will run. Run DSA.msc to launch the Active Directory Users and Computers MMC. Reset the Domain Administrator password and close the MMC. Type EXIT at the command prompt to close CMD.exe. Hit CTRL+ALT+DEL and login with the Domain Administrator username and the new password.
That's it! Pretty easy, maybe too easy. This should make you think twice about the physical security of your servers! Now along with preventing physical access to the servers there are a few more steps you can take to prevent this from happening. First off, ALWAYS rename the local administrator account on all your workstations and servers. This can be done domain wide with group policy under:
Domain Level Group Policy | Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options | Accounts: Rename Administrator Account
Enable this policy and enter in the account name you would like to as the local administrator password. One other step you can take is to remove the CD and floppy drive from the system and use a USB CD/Floppy when needed. If the system cannot be booted from a CD or Floppy, neither of the tools I mentioned will be able to reset the local administrator password. If you can't remove the CD and Floppy drive, at least take them out of the boot order and password protect the BIOS.
Finally, use Syskey. Windows 2000, XP and 2003 includes a Security Accounts Management database that contains hashed copies of user passwords. The database is then encrypted and the encryption key is stored on the local machine. When you boot up the machine and attempt to log on locally the encryption key is used to gain access to the SAM database and verify the correct password has been entered. Syskey allows you to move this encryption key to a floppy disk, which must be present in the floppy drive in order to log on to the machine with any local machine account. Just don't leave the floppy in the drive or in an unsecured location and always make a backup of this disk.