Directory Services/Active Directory

Ulf B. Simon-Weidner's Blog
What to do if a Branch Office DC is not physically secured?

Today there was a pretty interesting issue in the Windows Server Newsgroups: "What to do if a Branch Office DC is not physically secured?"

OK - the first thing ever should be not to put a DC anywhere where it's not physically secured from theft. But lets look what happens if someone gets your DC more closely.

If somebody gets physical access to a DC, first of all he gets all access to the local machine. That's not very difficult. So any readable local data on that DC is gone and known outside the company. To get further data out of the company, it would be necessary to hack the passwords which are stored on the DC and try to use those to hack into the company and retrieve more data of other machines, or place there a virus or trojan.

To get a domain administrator account is not very difficult after you got in as local administrator, but it will be either a new domain administrator or a old one with changed password. After getting access to the DC as domain administrator it's quite likely that the attacker starts to hack the existing service or administrator passwords - those are usefull for getting more information out of the remaining production environment.

Another option for the attacker would be to put that DC back into the Domain after he was able to add another administrative account. The DC will start to replicate again and the new administrative account resides on all DCs.

So here's my Opinion on things you are able to do to protect yourself if your DC is stolen until your physical security for the DC is in place:
  1. Prevent the storage of LM-Hashes of passwords, then change every password in the domain.
    If you store the LM-Hash of a password it's calculated very fast by password cracking tools. If you configure your servers not to store it, you'll need to change your passwords to reflect that change.
  2. Use complex and long passwords, beyond 20 chars are good passwords.
    Just use Phrases instead of words. The attacker will be able to get into the local system very fast, and they have access to all data on that DC. If he wants to attack the rest of the domain, he needs one of the existing domain administrative accounts or he needs to get the domain back into the domain. To prevent him to get the other passwords fast prevent LM-Hash and use long and complex passwords, this will give you some time to change the passwords on the domain after the DC is missing.
    Passwords are not stored using reversible encryption (hopefully and by default) so the attacker needs to use a tool which tries to "guess" the right password. Hacking into the ntds.dit file won't help here, that would only help if the password is stored using reversible encryption.
    If you have a plaintext passphrase which is not complex it might not help very long in the future. Make sure that it's complex and does not just use dictionary words in it. Main issue here is that we have to force password cracking tools to go into a brute force attack, that means to try every possible combination of the existing character set. If we have a password like that the time to crack it will go exponsially up with it's lenght.
  3. Use randomly generated very long passwords for service accounts.
    As passwords for your service accounts you can use very long ones and completly randomly generated, you can create a script which changes the account password and the credentials for the service at the same time, no need to store the password anywhere else. If you need to use the password, change it again randomly.
  4. educate your users to use complex and long passphrases as well
  5. implement and test processes to change all passwords (including those of service accounts) in a short time
    You need to be able to change the passwords in less than the time an attacker posseses the DC and tries to hack the passwords. Step 1. to 4. above will help you to increase that time from seconds to hopefully a few days.
  6. implement a process which defines what to do when a DC is stolen
    e.g. delete the computer account of that DC immediatelly (to prevent him getting back on the network after it might have been hacked and a additional administrator created), change passwords of all accounts, perform a metadata cleanup of your domain.
  7. Never ever put back a missing DC into your domain without 100% reinstallation
    If you are able to get your DC back you really need to reinstall it - you can't trust it anymore. There might be virusses, trojans, or accounts installed you most likely don't want into your domains.

If you follow those steps then if your DC is stolen they get all data on that DC, however if you prevent them to hack the domain accounts fast (done by step 1. to 4. above) you have some time (few days instead of seconds) to proceed with the other steps (5 and 6) to prevent them getting into the rest of the network.

And take care of point 7 - very important.

Another major misunderstanding: Automatic locking of accounts wouldn't help you here - the attacker is already in the possess of the DC and is able to change that before attacking the accounts.

That's just my opinion - I'm really curious what you think.

Ulf B. Simon-Weidner

 

Published Sun, Oct 24 2004 6:28 by Ulf B. Simon-Weidner

Comments

# re: What to do if a Branch Office DC is not physically secured?@ Wednesday, October 27, 2004 11:35 AM

Hi Ulf,

I tried to include your RSS feed in my site yesterday. Unfortunately, the RSS component that your site is using is not too useful. It includes the complete text in the preview area and not a short version. I guess you do not have any influence on that but if you do - you should change it. Adding complete articles to an RSS-syndicated area is not quite what RSS was made for ...

Best wishes (and, oh: Great blog altogether!), Nils

Ulf B. Simon-Weidner

# IT-Forum, Clarification of my last blog and update@ Wednesday, October 27, 2004 12:28 PM

TrackBack