Learn from my comedy of errors.....

[Tiger Shark]

The scenario:

1. Standalone, (not a member of any domain), Windows 2000 Server running IIS 5.
2. Publicly available providing DNS, IIS and SMTP services.
3. Hardened - Only Local Admin, "normal use" Admin and System have rights to anything but personal folders.
4. One user has rights to alter web pages under c:\inetpub\wwwroot\mydomain and his personal folders.
5. Administrative rights available to only Local Admin, (renamed), and another "normal use" admin
6. Account lockouts last three days to cover weekends.
7. Automatic updates set to install daily at 3am
8. System state backup scheduled at 4:00am daily
9. Changed "normal use" admin's password per policy
10. Forget to change scheduled backup login password for "normal use" admin.....
11. Go home......

Next morning I arrive at work to find "normal use" admin's account is locked out. Lockout period is three days...... Oooops, the account will now lock itself nightly...... Go to get the nice little envelope with the Local Admin's password in it..... $h17.... Can't find it..... System state backup _useless_ since I don't have any rights worth a crap.....<sigh>

Reboot to linux floppy with NTFS support, grab the SAM and start trying to crack it using all printable characters..... By the time it gets to a password length of 8 it reports 19 days to complete....... $h17......

Time to try other means..... Priviledge escalation seemingly impossible from the restricted account..... Remote tools are all access denied..... Patch level is fully up to date so skiddie tools are no use.... (which I considered but didn't want to try).

Ok, time to try the one I didn't really want to have to go through - Install second Win2k load in different folder, boot to it, edit registry to change first load's screensaver to cmd.exe, reboot, wait, run "net user LocalAdminName 12345" to reset the password, reboot, login, remove second load, fix boot.ini........ Phew....

In the process of setting the BIOS to allow boot from the CD-ROM first it hit me...... Can you guess?




page down




page down




page down




page down




page down



Change the system clock forward a year and reboot..... The account unlocks.... phew!!!!!

1 1/2 days to find the simple solution.......

On the bright side I discovered that I have this server pretty well locked down and it won't be easy for anyone even with local access to get on it let alone remote..... Also, making sure everything ran as a service ensured that the services it provided were always available.

LESSONS LEARNED:

1. Secure the local admin password where it can't be "lost" and remember where the hell you put it, (a year goes past fast but the brain forgets quicker).
2. Contrary to best practice have a third admin, (read "backdoor"), that you never use, (on non-domain member systems).
3. Remember to check for scheduled events when you change passwords and change the password there too.

[RoadClosed]

Tiger, I laughed at your expense at the line about a CD-ROM... sorry but if I hadn't have been there myself it wouldn't have been commical. Got enough money for a palm device?

[Tiger Shark]

RoadClosed:

Got enough money for a palm device?

Let's not go there.... I have one..... with a secure information store loaded on it that even has special formats for passwords........ Wanna guess who's too lazy or stupid to put them in sometimes....

page down, etc......

$h17ferbrains here.....

I learned a few things about well secured boxes though and I hope somone else can use the "trick" without having to go through the leaning curve I had to.....

[HTRegz]

Hey Hey,

Looks like you could use a copy of the CD we have here. A lot of the time we get back laptop rentals and they don't give us the password, or someone brings their computer in to be repaired and forgets to leave the password. We're too lazy to contact them to get it, so we have a couple CDs. I've never seen it take more than 30 minutes to remove/change the password. I've been meaning to play with the software to see what exactly it is, but I'm rather impressed with it....

Peace,
HT

[DjM]

Originally posted here by HTRegz
Looks like you could use a copy of the CD we have here.

Hey HT, is that commercial software on the CD, or something you have developed yourself. If possible, would you be willing to share? I have had situations at my shop where something like that would have come in handy.

Cheers:

[Tiger Shark]

HT: Doh..... Now you tell me.... <LOL>

I do find it interesting though that a simple BIOS reset of the clock unlocks the account. It means that with physical access I can brute force an admin password without regard for the lockout period because I can just reset it. Maybe there should be a system where the admin can chose the following options:-

On account lockout check expired time by:-

1. Local Time server on network.
2. Internet based clock synch.
3. Internal timer, (registers clock ticks as long as machine is left on).
4. No check of expired time required, use system BIOS.

In that way a given period can be enforced. If remote time sources cannot be accessed then the system reverts to 3 so that the lockout time is at least as much as the admin set. If the remote machine later becomes available then it's time is accepted if 1 or 2 were selected.

I did try a few other things like password reset programs but the one I tried for that did not recognize the disk even when the controller drivers were provided so I was still stuck.

[HTRegz]

Originally posted here by DjM
Hey HT, is that commercial software on the CD, or something you have developed yourself. If possible, would you be willing to share? I have had situations at my shop where something like that would have come in handy.

Cheers:

It's not something we've developped, at least I don't think it is... The one is a fairly basic CD... and it's the one we've always had, the other one someone just handed us one day and it's great..... you can reach me at ht_regz@hotmail.com on msn messenger or 11854130 on ICQ.

Peace,
HT

[tyfon]

Learnt a couple of thing from your post...anyway it is good to share with other your mistakes so aas not to do them...