The scenario:

1. Standalone, (not a member of any domain), Windows 2000 Server running IIS 5.
2. Publicly available providing DNS, IIS and SMTP services.
3. Hardened - Only Local Admin, "normal use" Admin and System have rights to anything but personal folders.
4. One user has rights to alter web pages under c:\inetpub\wwwroot\mydomain and his personal folders.
5. Administrative rights available to only Local Admin, (renamed), and another "normal use" admin
6. Account lockouts last three days to cover weekends.
7. Automatic updates set to install daily at 3am
8. System state backup scheduled at 4:00am daily
9. Changed "normal use" admin's password per policy
10. Forget to change scheduled backup login password for "normal use" admin.....
11. Go home......

Next morning I arrive at work to find "normal use" admin's account is locked out. Lockout period is three days...... Oooops, the account will now lock itself nightly...... Go to get the nice little envelope with the Local Admin's password in it..... $h17.... Can't find it..... System state backup _useless_ since I don't have any rights worth a crap.....<sigh>

Reboot to linux floppy with NTFS support, grab the SAM and start trying to crack it using all printable characters..... By the time it gets to a password length of 8 it reports 19 days to complete....... $h17......

Time to try other means..... Priviledge escalation seemingly impossible from the restricted account..... Remote tools are all access denied..... Patch level is fully up to date so skiddie tools are no use.... (which I considered but didn't want to try).

Ok, time to try the one I didn't really want to have to go through - Install second Win2k load in different folder, boot to it, edit registry to change first load's screensaver to cmd.exe, reboot, wait, run "net user LocalAdminName 12345" to reset the password, reboot, login, remove second load, fix boot.ini........ Phew....

In the process of setting the BIOS to allow boot from the CD-ROM first it hit me...... Can you guess?




page down




page down




page down




page down




page down



Change the system clock forward a year and reboot..... The account unlocks.... phew!!!!!

1 1/2 days to find the simple solution.......

On the bright side I discovered that I have this server pretty well locked down and it won't be easy for anyone even with local access to get on it let alone remote..... Also, making sure everything ran as a service ensured that the services it provided were always available.

LESSONS LEARNED:

1. Secure the local admin password where it can't be "lost" and remember where the hell you put it, (a year goes past fast but the brain forgets quicker).
2. Contrary to best practice have a third admin, (read "backdoor"), that you never use, (on non-domain member systems).
3. Remember to check for scheduled events when you change passwords and change the password there too.