The bane of an IT professional’s life is when administrator passwords are lost, stolen, or simply forgotten. For the unprepared, losing an admin password can cause extensive disruption to work flow and even business processes—not to mention the fact that it could be a potentially serious security problem. With that in mind, I’m going to explain the various approaches that can be taken when faced with this problem.

Words of warning

The methods described below are to be carried out at the administrator’s risk. The products described below will often work on both Windows NT and Windows 2000, but you should read the product documentation to make sure the product will work in your environment.

Preventative maintenance
First, if you have not instituted the following basic policies for administrator password protection, then you should do so as soon as possible.

  1. The administrator account should be renamed to something obscure.
  2. No one in the IT department should be using the administrator account to carry out systems maintenance. This includes any scheduled tasks, which should run under an account with appropriate privileges.
  3. Change the current administrator password and write the new one down without telling anyone what it is (if using Windows 2000, you may have a different password for Directory Services Restoration, which also needs to be kept safe); make a second hard copy; seal each in a separate envelope; and ask your boss to put one in the company safe and the other in an offsite safe.
  4. Give requisite (granular) administrator privileges to any IT professional user account that needs them. Verify that group memberships are appropriate and don’t conflict.
  5. Forget about the administrator account until you have a real need for it, and if you can’t remember the password, then you know where to find it (based on step three).

Recovering passwords
There are essentially two approaches to recovering passwords: cracking by brute force and resetting passwords. Various tools exist for both approaches. The brute force approach involves a dictionary attack against the security database. Resetting involves accessing a utility used to change passwords (e.g., User Manager in Windows) and resetting the administrator password to a known value.

Brute force
The best-known method for this approach is to use a program such as L0phtCrack. To use such a program, you first need to obtain a working copy of the SAM database, and to get this you need to use a boot disk of some flavor, possibly NTFSDOS from Winternals. Or, if you use a Linux disk, it must have NTFS file system drivers on it so that you can read and access any NTFS partitions. Once you’ve obtained the copy of the SAM database (usually at c:\winnt\system32), you can run it against the L0phtCrack application, which will grind away at password combinations until it gets a match.

The main attraction with this application is that it does not modify passwords and by extension does not modify the SAM database in any way, especially if you do the password cracking on a separate machine to the one you’re trying to log on to.

The L0phtCrack application is currently at version 4 and is called LC4. L0phtCrack claims that within 48 hours, a Pentium II 300-MHz machine can crack 90 percent of passwords. As you can see, the application can also help an administrator verify password complexity by offering password-auditing options.

If you’re going to go to the trouble of getting to the SAM for a brute force attack, you may want to consider just resetting the admin password you’ve lost. It will probably be a lot quicker. Resetting a password actually changes the security database by resetting the password hashes for a given account. This may or may not be acceptable, depending on the security policies in force in a particular organization.

It may also be a problem if there are a lot of administrators spread out geographically that rely on the admin password and a secure way of transmitting the new password is not very practical. There may also be services tied to the admin password on various machines and a change could cause problems on these systems.

Another item to bear in mind is SYSKEY. This is a key that is used to protect other keys, such as protection keys for passwords in the SAM. It is either enabled (via command line) or disabled. SYSKEY uses one of these options:

  • Computer-generated random keys to allow machine restarts
  • Computer-generated random keys stored on a floppy disk that is needed to restart a machine (more secure but virtually rules out remote restarts)
  • Administrator-chosen password that opens a prompt every time the machine is restarted

If admin account passwords are lost when SYSKEY is enabled, it may be problematic to access a system. If SYSKEY is in use, then make sure that password recovery tools can either cope with it or disable it altogether. Turning off the SYSKEY under Windows 2000 can compromise the SAM, so check with Microsoft if this is an issue you’re facing.

Winternals, the well-known source of Windows utilities and other software, offers a product called Locksmith, which is a password-reset tool. To use it, it must be installed on the machine with the lost password. You’ll need to log on as another user and run the Locksmith interface, which allows you to select the broken account and reset the password. It’s pretty much a point-and-click operation and it works on Windows NT and 2000.

Sunbelt Software offers a product called NTAccess that can reset passwords on Windows NT, 2000, and XP boxes, including servers running Active Directory. It does this using conventional Windows boot disks with additional few files that will trigger the software and permit a password reset. NTAcccess cannot disable Windows 2000 SYSKEY protection so the password for this must be known or the floppy disk storing it must be available. The application can, however, disable the NT 4 version of SYSKEY.

Using bootable Linux disks is yet another way of accessing the password database for a reset. There are various sources for such disk images online, and you can download one of the free disk images here. Essentially, once the disk image has been created on a floppy, the machine is booted and a series of Linux prompts then allow the admin password to be reset. This software has had documented problems accessing SCSI hard drives because of driver issues, and, even when these are available, the problem has not always been solved. However, if you’re in a real bind, it might be worth a shot.

Whatever solution is chosen, the administrator must be aware that all methods apart from L0phtcrack act upon the SAM database. Some of the Linux boot disk utilities leave a footprint that could allow subsequent access to the SAM database, creating a situation where security is compromised. As a result, good policies for password complexity are essential, and so is the basic physical security of servers, such as locking them away, setting the BIOS to boot from the hard drive first, and setting up a BIOS password.