Tài liệu Protecting SAM and Security Hives phần 1 pptx

Protecting SAM and Security Hives

Windows NT/2000, Windows XP, and Windows Server 2003 security information is

stored in the SAM (Security Accounts Manager) and Security registry hives.

Note Although starting with Windows 2000, Microsoft has introduced the Active

Directory (AD)—arguably the most complex of new technologies, which in some

ways represents a further extension of the system registry, the SAM database has

retained its importance. In contrast to Windows NT 4.0 domain controllers, where

SAM used to be simply a registry hive, on native-mode Windows 2000 and

Windows Server 2003 domain controllers, the directory services database is stored

in the Ntds.dit file. The SAM is now part of the Active Directory, which serves as a

kind of "super-registry", storing all user and machine information, as well as a

whole host of other types of objects, including group policies and applications.

However, the SAM database continues to store local accounts (required to log on

locally). Furthermore, if your computer that is running Windows 2000, Windows

XP or Windows Server 2003 does not participate in a domain, the SAM database

remains the main storage of the user and group accounts information. Among other

things, it is important to notice that the Directory Service Restore Mode

Administrator password, which is separate from the Administrator password that is

stored in the Active Directory, resides in the local SAM

(%SystemRoot%\System32\Config\SAM).

The SAM hive contains user passwords as a table of hash codes; the Security hive stores

security information for the local system, including user rights and permissions, password

policies and group membership.

Note The SAM information is encrypted. However, there are many utilities that allow

you to crack the SAM hive. The most common examples are PWDUMP, NT Crack,

and L0phtCrack (at the time of this writing, the latest version was LC4).

How to Protect the SAM Hive

Microsoft officially states that the best way to protect Windows NT/2000, Windows XP,

and Windows Server 2003 is to protect administrative passwords. This, however, isn't

enough. Many users can access the SAM and Security hives, including members of the

Backup Operators group, whose responsibility is registry backup.

By default, no user (not even the Administrator) has the necessary access rights that

would allow them to access or view the SAM database using the registry editor.

However, the SAM and Security hives are stored on the hard disk, the same as all the

other files. All you need to do is to get the copies of these files. Of course, you can't do

this by simply copying the registry of the running Windows NT/2000, Windows XP, or