Announcement

Collapse
No announcement yet.

Win2003: How to protect against this hack?

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Win2003: How to protect against this hack?

    Hi All

    We have a Windows 2003 server, and we need to be sure it is 100% secure.

    In theory NOBODY except somebody holding a valid login/password should be able to access it.

    However we cannot physically secure the server. It will not be publicly available, but in a server room where at least a team of people would have access to it.

    I understand from the information on this page: http://www.petri.com/reset_domain_ad...er_2003_ad.htm that the password from the local and domain admin accounts can be exposed and/or changed.

    Is there any way to prevent this? Can we do anything, to protect against this hack? The main requirement is that the user should have access to the local Administrator password and physical access to the server. Assuming we cannot block physical access, how can we restrict or otherwise disable the local administrator account? As I understand, there are many Linux boot CDs with tools that allow you to change the Local admin password and re-enable the account if it is disabled.

    Is there any way to stop that or otherwise prevent the process of gaining access to the domain admin account?

    Thanks for your advice...

    Ron

  • #2
    Re: Win2003: How to protect against this hack?

    Physical security is a must tbh.
    Windows and Linux platforms can be compromised when someone with the knowledge and tools has access to the physical machine.

    Having said that, are the people in the room of technical ability to do (and desire) such a thing? If so, get it secure!

    Comment


    • #3
      Re: Win2003: How to protect against this hack?

      I understand the importance of physical security, but we do not always have total control over that. If we could have 100% physical security that would solve the problem.... but in this case it is not possible. And actually 100% vs. 99% is even usally not possible. So we need to have more security at the logical level. And this hack is easy enough that it does not require a high level of technical ability.

      So we need to make the task as difficult as possible...

      Comment


      • #4
        Re: Win2003: How to protect against this hack?

        You could try enabling some type of SmartCard security on the server.

        Comment


        • #5
          Re: Win2003: How to protect against this hack?

          There are a few things you can do, but none of these actually solve you problem the bulletproof way. Disable PXE / DVD / USB boot from BIOS setup and set a password to prevent BIOS changes. This way the machine is hard to boot on another an OS.

          How about putting the server on a rack and locking it? Here are some examples about locking kits. I'm sure your local rack vendor can provide similar solutions.

          A cheap solution would be removing the DVD drive and stuffing glue into USB ports in order to stop USB/DVD boot.

          -P

          Comment


          • #6
            Re: Win2003: How to protect against this hack?

            seems like a link to the 10 Immutable Laws of Security is on order
            pay attention to number 3.....
            http://technet.microsoft.com/en-us/l.../cc722487.aspx

            nothing is impossible, just hard too hard or expensive.
            "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

            Comment


            • #7
              Re: Win2003: How to protect against this hack?

              I understand what everybody is saying about physical security... and we will secure the box as much as possible.

              nevertheless this hack depends only on booting a disk, it is not like we're talking about opening the server and rooming disks to connect them elsewhere. It is essentially a software attack. So I'm surprised there is no "logical" defence from it...

              Comment


              • #8
                Re: Win2003: How to protect against this hack?

                The problem is that there isn't any security that the OS can perform that can prevent the user from power cycling the server with a bootable CD in the drive that has utilities for them to reset the password. The only thing I can think of is to enable a boot password in the BIOS if your BIOS has this option. Then if someone power cycles the server, the boot process won't run without entering the password.

                Comment


                • #9
                  Re: Win2003: How to protect against this hack?

                  Originally posted by joeqwerty View Post
                  The problem is that there isn't any security that the OS can perform that can prevent the user from power cycling the server with a bootable CD in the drive that has utilities for them to reset the password. The only thing I can think of is to enable a boot password in the BIOS if your BIOS has this option. Then if someone power cycles the server, the boot process won't run without entering the password.
                  and of course neither will the regular OS.........
                  I can just see a remote reboot and headsmacking when it does not come back up.
                  "...if I turn out to be particularly clear, you've probably misunderstood what I've said” - Alan Greenspan

                  Comment


                  • #10
                    Re: Win2003: How to protect against this hack?

                    True, that's the downside unless the OP has an ip kvm to access the POST remotely in order to provide the password. In light of the OP's particular situation, this might be the best he can hope for.

                    Comment


                    • #11
                      Re: Win2003: How to protect against this hack?

                      I'm just amazed that all it takes is booting a disk to essentially get full access to the system as an administrator in a few minutes. And it is surprising to me that MS or somebody else has not found a viable defence to make the process much more difficult.

                      Comment


                      • #12
                        Re: Win2003: How to protect against this hack?

                        Well you have to think about it as a separation of the physical security from the logical security.

                        How is Microsoft going to protect the physical power button or power cord? If i turn the server off or pull the power cord and then I put a bootable CD with hacker tools in the CD drive and power up the server and the BIOS is set to boot from the CD, how is Microsoft or Linux or anyone else going to protect against that?

                        That's why physical security should be the first step in securing your computing systems.

                        Comment


                        • #13
                          Re: Win2003: How to protect against this hack?

                          I am not arguing that physical security is not important!

                          But sometimes it is just not possible. So I am asking for your advice for a solution in this situation.

                          The answer of "just give up, there is no way to defend against a kid cracking your system with a disk he downloaded from the internet" is surprising... surely there must be a way to block it or make it much more difficult at a logical level.

                          How about using syskey to require a password at boot time? Is it easy to break that?

                          Comment


                          • #14
                            Re: Win2003: How to protect against this hack?

                            Originally posted by lewinr View Post
                            physical security -- sometimes it is just not possible.
                            It's not that I want to be difficult, but your requirement is something like eating a cake and keeping it too: " ...100% secure. -- However we cannot physically secure the server."

                            You might consider HD or data encryption. Windows Server 2008 supports Bitlocker, so you might use it to crypt all the data. For additional security, store the decryption key on separate an USB stick and lock the stick in a safe. That way booting the server requires the USB memory to be present (in order to read & validate the decryption keys).

                            There are 3rd party crypt tools available too - for a price. Then again, W2k3 doesn't support Bitlocker, so upgrade to 2k8 is not a free solution either.

                            Some hard drives support hardware encryption. This prevents reading the disks on another a computer, but it doesn't stop attacks on the local machine.

                            How about using syskey to require a password at boot time? Is it easy to break that?
                            It would make password cracking harder, but the disk contents themselves are still vulnerable. It would be trivial to inject a trojan on such a system.

                            -vP

                            Comment


                            • #15
                              Re: Win2003: How to protect against this hack?

                              I never said you should give up. It's just that you're situation is difficult because you can't physically secure the server.

                              Also, I did mention several posts ago that you could password protect the boot process if you're BIOS supports that option. Have you looked into it?

                              Comment

                              Working...
                              X