Win2k + Syskey = Encrypted SAM

[Nullity]

Hey. I didn't know where else to post this question since it didn't seem to fit into any other forum.

Anyways, I have a Win2k machine and I want to test how strong the passwords are. I know I can use certain programs to directly get the hashes from the registry but you have to have admin access to use those. I use that program and it works very well. The problem is the computer is going to be in a public place where anyone can turn it on and off and use it. I know there are ways to get the SAM by using boot disk with NTFS support. My question is: If someone were to access the SAM file via boot disk, will they be able to extract the hashes from it (assuming Syskey is enabled)? Or will syskey prevent them from obtaining the hashes?

Thank you,
Null

This is the place to discuss the latest computer hardware issues and technology. Please keep the discussion ON TOPIC, and covering computer hardware ONLY.

AnandTech Moderator

 

[Jhereg]

Why not just disable the floppy drive in the BIOS and password the BIOS itself ?
Create numerious accounts, rename the admin account and disbale its rights , give rights to one of the other accounts.

 

[Nullity]

Well, thats the thing. The users will probably need to use the floppy. I have already set a BIOS password...but if you look hard enough, there are ways to get past it.

Null

 

[bocamojo]

Turning on syskey on your win2k box won't stop "hackers" who have access to your local machine from getting to your sam, and changing the admin password. They can turn off syskey, then change the admin password (with certain programs), although I hear this "feature" is a bit buggy, and unstable (but what do hackers care, as they will either get your admin account or crash your system). You should put up a camera in the room (active or not, it should have the same effect). That should be enough of a deterrent to most... and you really should consider locking down floppy, if this is really a concern...

 

[robg1701]

Just for laughs: if they need a floppy, disable the machines floppy and only let them have access to a floppy on a networked 486 box running Win95 and without any input/output devices, hehe

 

[Nullity]

Hrm. I've thought about having a workstation dedicated for floppy and printer..The only bad thing about that is there are about 5 workstations which would connect to it. Also, 2 of the workstations are in different rooms.

I know of those programs you talk about. They do work..I've tested it without any problems.

I guess there isn't much I can do except hope no one will mess around with them. Maybe I can buy 3 or 4 fake cameras...but then again, wouldn't that make them feel like its invasion of privacy?

Heh, anyone else have any ideas?

Thanks,
Null

 

[MedicBob]

Nullity,

It looks like you are looking for absolute security for your box. Hate to tell you, ain't going to happen. Best bet with direct access users is a background check, refrences, and prayer. Other than that there is always a way around any security mesures you place on a box.

Direct access allows any and all kinds of "issues" with a computer.

Don't give up, but don't be unrealistic either. Remove the floppy, physically that is. Remove the CD also. No access to load programs without a PW or user access then. Of course restrict all users to Guest with very limited useability and access. Then you have a pretty good secure system.

If you think it is unhackable, it isn't.

 

[Nullity]

Agreed.

What are some nice programs which help lock out a Windows 2k box? Such as restricted Start Menu, no control panel, etc. Preferrably free. =D

Thanks for all the help!
Null