Physical access to *any* machine is always a huge security hole. If you want
to protect the local SAM information to a stronger degree, use syskey to
require floppy at boot, or password at boot.

Laura
----- Original Message -----
From: "Anssi Porttikivi" <anssi.porttikiviteleware.fi>
To: <focus-mssecurityfocus.com>
Sent: Friday, November 16, 2001 8:57 AM
Subject: RE: Cached Network Password

Can you give us a pointer to some more articles? I am looking for an
answer to the next question:

AFAIK domain username and password hash pair is cached in the Registry
SAM sub tree (or hive) in NT/2000. That part of the registry is the
"hive" file in %SystemRoot%\System32\Config\SAM. So what goes to there,
and what goes to HKLM\Security\policy\secrets?

When I look at my "secrets" with Lsadump2, I see my in clear text FTP
password to a remote machine, and I see in clear text one of my old
domain passwords (the password -2, if current is zero)! Is this for
checking, that I don't re-use passwords? Pretty dangerous, I would say!
I still use that same password somewhere else!

-----Original Message-----
From: Free, Bob [mailto:RWF4pge.com]
Cc: 'focus-mssecurityfocus.com'
Subject: RE: Cached Network Password

HKLM\Security\policy\secrets can store cached credentials,web/ftp
passwords
and the machine account password as well as service accts. A good
reference
is http://razor.bindview.com/tools/desc/lsadump2_readme.html and
HEW2K covers it nicely http://www.hackingexposed.com/win2k/home.html

Exploits are generally referred to as the LSA secrets hack and there is
a
fair amount of information available on the net, even a Microsoft KB
article.

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]