NT 4.0 Passwords?
I'm a sysadmin at a school in switzerland.
Now, my problem is: one of the students has probably got Administrator-rights on the system. We are running NT 4.0 with SP 5 installed.
The student has been excluded from the PC-room. I'm only wondering how could he get my password? He probably got a copy of the SAM._ database, but how?
I need this info to avoid further penetrations.
Could you help me please?
You say a student 'probably' obtained Admin rights, why do you think this? ie: what made you assume that they has Admin rights?
You say your running NT with Service pack 5, why not Service pack 6a and also what patch's have been applied to these machines (if any)? <-- note this is a big opportunity for problems if not completed.
If the machines bios isn't secured (and / or the 1st boot device is floppy) then access would have been easy, booting a linux floppy with NTFS utils would allow them to reset the Admin password or to copy the SAM for later use.
Please provide more info and I'm sure we'll help.
I suggest ..in addition to what has been sugested already that you reset ALL passwords on the machine. He could have used the erd for the machine and reset it to a prior password..then put it a backdoor admin account and changed it back. Or he could have run lophtcrack on the sam on the erd. He could also have used one of these tools here:
go thru all users accounts and reset the passwords. Then install some form of boot protection and prevent physical access.
A man on a mission?
You need a plan, man!
You need an emergency response plan that you practice and know. There are all SORTS of things you should have done immediately when you realized there may have been a problem. First of all, all passwords should be changed WEEKLY, and be alphnumeric+symbols and @ LEAST 8 characters long, PERIOD. This is VERY important. You should also have your admin computers physically secure and on a separate vlan than curriculum computers, so even if a password were obtained, an offender would have to also circumvent physical security restraints in order to get on a computer he could use the password to log on to.
Find out ALL accounts that may have been accessing or 'probing' your computer within the hour you suspect the student got it, and if he was @ school during the time, what class was he in? There should be no fear of remote attack, really, though, because your districts firewall should block out incoming traffic with a double firewall, and have all public servers on the public backbone.
(My teacher is yelling @ me so I got's to go for now, hope this helped somewhat).
already mentioned above by others:
- He could have taken the SAM from the NT repair directory where NT stores a copy of the SAM or from some ERD disk and run a password 'auditing tool' legal talk for 'cracker tool' on your SAM.
- With a linux boot disk and NTFS tools (allowing to read the partitions, inclusif the ones that are normally protected by NT with a regular boot) he could easily gain access to your SAM's.
Change passwords weekly is not easy to implement, the risk that users choos e nearly the same pwd every week reduces your security. It's better to change passwords every month and require that it's entirly different. You need to consider both security and user friendly issues when you consider to do something about it. So definitly go for a (realistic) plan.
What that student did was this.
Used a small program on his computer called 'abaddon'. (or similar) Once an administrator logged on to his computer; the 'user' was immediately given admin rights.
As long as he keeps running this program; AND you login to his computer as admin.......he will always get admin rights.