OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NTSecAdvice Archives: Re: remote sam copy

Re: remote sam copy

Brian A Shea (Brian.A.SheaBANKOFAMERICA.COM)
Thu, 4 Nov 1999 08:44:13 -0800

I also suppose that it is obvious, but because no one has really stated it,
I'd like to add:

This information is very sensitive (especially if you use the /s switch and
get the SAM information to be in the repair directory. It is critical that
the ACLs on all directories containing this information are set
appropriately. The more locations that have this information, the more
places that you have to secure with tight ACLs.

IIRC, Administrator: Change(RXWD), System: Full Control(RXWDPO) is the
setting you want on these directories, but your network and support
structures may require additional entries.

Brian

> -----Original Message-----
> From: Ulises Gonzalez, Jr. [mailto:ugonzoMOSQUITONET.COM]
> Sent: Thursday, November 04, 1999 5:42 AM
> To: WIN2KSECADVICELISTSERV.NTSECURITY.NET
> Subject: Re: remote sam copy
>
>
> David,
>
> I use the following procedure, which I found at
> http://www.jsiinc.com/.
> Bookmark the site. It has a ton of useful admin info.
>
> Tip 072 » Users never have a current ERD!
> In most sites, users rarely have a current ERD when they need one!
> Do it for them with this procedure:
>
> Use the scheduler (AT command) (or a good one like
> OpalisRobot) on each
> workstation to schedule a RDISK.exe /S-. The batch file to
> schedule is:
>
> %windir%\system32\rdisk.exe /s-
> %windir%\system32\xcopy.exe %windir%\repair\*.*
> \\YourServer\RepairShare$\%computername%\ /q /r /h
> exit
>
> where %computername% is a subdirectoy of the hidden share on
> the Server,
> i.e.; one for each workstation.
>
> When you need an ERD for that workstation, just format a
> diskette on your
> Server and copy the files from their wsX directory.
>
> The scheduler must be run under the system context and
> allowed to interact
> with the desktop or under the context of an administrative
> user. If you use
> the system account, you can't schedule the copy because the
> system account
> has no network access. Use a ROBOT account with a non-blank
> non-expiring
> password that is a member of the administrator group. Use
> full path names
> for all files. Here is a sample schedule for Workstation "wsA":
>
> AT \\wsA 01:00 /interactive /every:M,T,W,Th,F,S,Su
> \\YourServer\RepairShare$\Repair.bat
>
> You can dress up the Repair.bat with logging, messaging, etc
>
> Regards,
> Ulises
>
>
> -----Original Message-----
> From: david nercle [mailto:dnercleNETSCAPE.NET]
> Sent: Wednesday, November 03, 1999 6:10 PM
> To: WIN2KSECADVICELISTSERV.NTSECURITY.NET
> Subject: remote sam copy
>
>
> Does anyone know of a way to remotely copy open sam files from
> \winnt\system32\config?
> i've used utilities that can extract user names and password
> hash's on a
> local
> machine, by using system privleges (eg samdump2.exe), but
> nothing to do it
> remotely. I thought there might be some form of remote rdisk,
> but i haven't
> found this. I have admin privileges, so you think it would be possible
>
> ____________________________________________________________________
> Get your own FREE, personal Netscape WebMail account today at
> http://webmail.netscape.com.
>

This archive was generated by hypermail 2.0b3 on Thu Nov 04 1999 - 11:37:38 CST