OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
NTSecAdvice Archives: Re: remote sam copy

Re: remote sam copy

Gibson, Wayne (Wayne.GibsonWANG.COM)
Thu, 4 Nov 1999 15:12:27 -0500

I would be interested in anyone's experience with syskey. Doesn't seem to
be in wide use perhaps due to the increased administrator headaches it can
cause (Q143475). I don't know whether to recommend it to my clients or not.

-----Original Message-----
From: THOMSON, Brian, GFM [mailto:Brian.ThomsonNATWESTGFM.COM]
Sent: Thursday, November 04, 1999 1:26 PM
To: WIN2KSECADVICELISTSERV.NTSECURITY.NET
Subject: Re: remote sam copy

Also, it is worth mentioning that syskey.exe from SP2(or 3?) onwards can be
used to encrypt the SAM database. It isn't foolproof (as the are tools to
bypass the encryption), but it stops l0phtcrack from working....

-----Original Message-----
From: Brian A Shea [mailto:Brian.A.SheaBANKOFAMERICA.COM]
Sent: 04 November 1999 16:44
To: WIN2KSECADVICELISTSERV.NTSECURITY.NET
Subject: Re: remote sam copy

I also suppose that it is obvious, but because no one has really stated it,
I'd like to add:

This information is very sensitive (especially if you use the /s switch and
get the SAM information to be in the repair directory. It is critical that
the ACLs on all directories containing this information are set
appropriately. The more locations that have this information, the more
places that you have to secure with tight ACLs.

IIRC, Administrator: Change(RXWD), System: Full Control(RXWDPO) is the
setting you want on these directories, but your network and support
structures may require additional entries.

Brian

> -----Original Message-----
> From: Ulises Gonzalez, Jr. [mailto:ugonzoMOSQUITONET.COM]
> Sent: Thursday, November 04, 1999 5:42 AM
> To: WIN2KSECADVICELISTSERV.NTSECURITY.NET
> Subject: Re: remote sam copy
>
>
> David,
>
> I use the following procedure, which I found at
> http://www.jsiinc.com/.
> Bookmark the site. It has a ton of useful admin info.
>
> Tip 072 » Users never have a current ERD!
> In most sites, users rarely have a current ERD when they need one!
> Do it for them with this procedure:
>
> Use the scheduler (AT command) (or a good one like
> OpalisRobot) on each
> workstation to schedule a RDISK.exe /S-. The batch file to
> schedule is:
>
> %windir%\system32\rdisk.exe /s-
> %windir%\system32\xcopy.exe %windir%\repair\*.*
> \\YourServer\RepairShare$\%computername%\ /q /r /h
> exit
>
> where %computername% is a subdirectoy of the hidden share on
> the Server,
> i.e.; one for each workstation.
>
> When you need an ERD for that workstation, just format a
> diskette on your
> Server and copy the files from their wsX directory.
>
> The scheduler must be run under the system context and
> allowed to interact
> with the desktop or under the context of an administrative
> user. If you use
> the system account, you can't schedule the copy because the
> system account
> has no network access. Use a ROBOT account with a non-blank
> non-expiring
> password that is a member of the administrator group. Use
> full path names
> for all files. Here is a sample schedule for Workstation "wsA":
>
> AT \\wsA 01:00 /interactive /every:M,T,W,Th,F,S,Su
> \\YourServer\RepairShare$\Repair.bat
>
> You can dress up the Repair.bat with logging, messaging, etc
>
> Regards,
> Ulises
>
>
> -----Original Message-----
> From: david nercle [mailto:dnercleNETSCAPE.NET]
> Sent: Wednesday, November 03, 1999 6:10 PM
> To: WIN2KSECADVICELISTSERV.NTSECURITY.NET
> Subject: remote sam copy
>
>
> Does anyone know of a way to remotely copy open sam files from
> \winnt\system32\config?
> i've used utilities that can extract user names and password
> hash's on a
> local
> machine, by using system privleges (eg samdump2.exe), but
> nothing to do it
> remotely. I thought there might be some form of remote rdisk,
> but i haven't
> found this. I have admin privileges, so you think it would be possible
>
> ____________________________________________________________________
> Get your own FREE, personal Netscape WebMail account today at
> http://webmail.netscape.com.
>

This archive was generated by hypermail 2.0b3 on Thu Nov 04 1999 - 15:38:27 CST