The bottom line is that neophyte hackers can download tools such as L0phtCrack for free from the Internet and gain access to your accounts if they can get a copy of your password hashes. NT stores password hashes in as many as seven locations, and tools such as L0phtCrack can currently find and crack hashes in all but one of the locations. You need to be aware of the risks involved with storing passwords in each location and measures you can take to protect your network from hacker attacks.
The Registry. NT stores its primary copy of password hashes in the HKEY_LOCAL_MACHINE\SAM Registry key. To access these Registry values, you must use the built-in System Account. Configure NT's Schedule service to log on as the System Account and select the Allow Service to Interact with Desktop check box. Use the AT command to run a Registry editor, and drill down into the SAM key. (For more information about using the AT command, see Mark Minasi, "Where It's AT," March 1998 and "A Better AT," April 1998.)
L0phtCrack uses a similar method to retrieve hashes from the Registry. Obtaining hashes from the Registry requires administrators group membership. To protect your system, restrict people to whom you grant membership in the administrators group, and do not let anyone run untrusted programs under an administrator account.
Physical jeopardy. Remember that the Registry consists of standard files called hives. NT dynamically grafts these files into the virtual tree of the Registry. The SAM database is in the %SYSTEMROOT%\system32\config\sam hive file. When NT is running, the SAM database is accessible only to the system. But, if your system partition is FAT, someone with physical access to your system can boot DOS and copy the SAM database to a disk. If your system partition is NTFS, a hacker can load NTFSDOS (which you can download from http://www.sysinternals.com) to gain DOS read-only access to your NTFS partitions and copy the database. Hackers can also copy the database by booting a different installation of NT on your system. If an intruder installs a second version of NT (e.g., to c:\winnt2), all the security features of the original NT installation in c:\winnt are void.
Limit physical access to computers. Disable your systems' ability to boot from removable media devices. Password protect systems' boot settings if your BIOS supports this feature. And, use SP3's Syskey utility to make the SAM hashes more difficult to crack.
Syskey creates a random password encryption key and uses that key to encrypt the hashes in the SAM database. Then, Syskey encrypts the password encryption key with a system key. Administrators can choose among three methods for creating and storing the system key: First, NT can generate a system key using a complex obfuscation algorithm and store that key on the system where the SAM database resides. Second, NT can generate a system key that you store on a disk. (If you choose this option, be sure to create and test backups of the system key diskif you store the system key on only one disk and that disk goes bad, users won't be able to log on to the network.) Third, you can specify a password to serve as the system key. All three methods defeat state-of-the-art hacker tools. The last two choices are more secure than the first choice, but they require user intervention, which can cause problems when servers need to automatically reboot. You can use the second method and leave the disk in the server's drive to eliminate the need for manual reboots, but if the machine isn't completely secure against physical intruders, this option creates another security risk.
ERDs. Your ERDs contain a copy of all your Registry files, including the SAM database. During assessments of clients' security, I often find an ERD lying near a server or on an administrator's desk. How many people have access to your servers or your desk? Do you want to give all those people access to your hashes? Probably not. To protect your ERDs from hackers, set policies that control how many ERDs exist for each system and where administrators store the disks. Also, use Syskey to encrypt your password hashes so that if hackers obtain one of your ERDs, they can't easily recover the hashes.
Rdisk. Rdisk, the program that creates ERDs, uses NT's native compression tool to compress Registry files in the staging directory %SYSTEMROOT%\repair. The directory's default file permissions are weak; NT does not lock this copy of Registry files while the OS is running. For Rdisk protection, use Syskey, give only administrators access to the repair directory, and limit physical access to your servers.
Backups. Hackers can restore system backups to scavenge the SAM database for password hashes. Therefore, you must store backup media in a secure place and closely control who has the Back up files and directories right on your network. By default, members of the administrators, server operators, and backup operators groups can back up files.
Register
