Windows 2000/XP Security Basics

©InsidePro Software

Introduction

Microsoft Windows 2000 and Windows XP based on Windows NT core are very popular today. Their popularity level is times higher than different Windows systems, so these OS security matters make one of key issues of modern computer security.

In the article presented we will highlight Windows 2000/XP security basics and give some practical tips on configuring the most protected workstation under these OS.

Definitely, the most important while analyzing the Windows 2000/XP security is safe keeping of administrator passwords, i.e. ones to accounts with Administrator privileges, as soon as these passwords grant full access to this computer as locally as in the net. So, we start with description of Windows 2000/XP principles of login handling.

Password Storage under Windows 2000/XP

Any account data is stored in the registry branch "HKEY_LOCAL_MACHINE\SAM" (SAM - Security Account Manager). Like any other Windows 2000/XP registry branch, this one is "physically" located on the disk under %SystemRoot%\System32\Config directory as several files. It's located in the file SAM. Note, that this file by default isn't available even to Administrator, however still can be retrieved (what way you will get know later). SAM-file (and other files without extension - system, software, etc. in this directory) aren't available because Windows 2000/XP use registry "on the fly" - i.e. registry changes are applied promptly without reboot, but the price system demands for that is excusive access to the registry files. Let me remind you that Windows 95/98/ME registry is stored in system.dat and user.dat files loaded once with the system boot, so to apply registry changes it's necessary to reboot the computer.

Windows 2000/XP keeps users passwords not "apparently", but as hashes, i.e. actually as "check sum" of the passwords. Let's go into the passwords keeping at large. The most interesting structure of the complex SAM-file building is so called V-block. It has 32-byte length and includes hashes of the password for local login - NT-hash of 16-byte length, and hash used for authentication to access common resources of other computers - LanMan Hash, or simply LM-hash, of the same 16-byte length. Algorithms of these hashes generation are following:

NT-hash forming:

1. User password is converted to Unicode-formatted string.
2. Hash is generated through applying MD4 algorithm to this string.
3. Result hash in encoded with DES algorithm, using RID (i.e. user identifier) as a key. It's necessary point to get different hashes for users who have matching passwords. You do remember that all users have different RIDs (Administrator's built-in account RID is 500, Guest's built-in account RID is 501, all custom users get RIDs 1000, 1001, 1002, etc.).

LM-hash forming:

1. User password case is capitalized and affixed by nulls up to 14-byte length.
2. Result string is divided on halves 7 bytes each, and each of them is being encoded separately using DES, so that output is 8-byte hash and total 16-byte hash.
3. Then LM-hash is further encoded the way described for NT-hash forming algorithm, step 3.

To improve password storage security under Windows NT Service Pack 3 (and under all later NT systems up to Windows 2003) result hashes are further encoded using one more algorithm involving Syskey utility. I.e. there's one more step 4 added to the algorithms described above - forming new hash from one we get using Syskey utility after step 3.

Retrieving SAM File and Hash Import

As said above, there's no way to read or edit this file. If you try to read this file Windows messages file sharing violation, because this file is constantly opened by the system so only Windows has writing privileges for this file.

However we still can get both data from this file and access to this file.

Data from the file may be retrieved even under the working system, though logged as Administrator only. There are two methods of the data retrieving. One of them is PWDUMP program method (used in PWDUMP, LC4 programs, etc.). Another one is method, which uses Scheduler (used in the SAMInside program). PWDUMP method in general works as follows: program connects to the system procedure LSASS and using its rights (and methods) gets hashes from the SAM registry branch, i.e. directly from the SAM-file. Scheduler method works the different. By default Windows 2000/XP Scheduler has rights of the SYSTEM user, i.e. it has full access to the system. So if we set task to Scheduler to save registry branch to the file it will save the branch to disk. After that you may extract all users hashes from this file.

But what if we have no Administrator password and thus his privileges?

Then the wrecker has only one to do. Once there are several operational systems installed, it's possible to access Windows 2000/XP system disk under any other system to copy SAM-file to different folder and import it later to the program to recover passwords.

Moreover, there are some programs, which can directly modify SAM-file data, changing and adding users and their passwords (for example, Offline NT Password & Registry Editor). Though it also requires to boot another system with full access to the Windows 2000/XP system disk.

Even if the Windows system disk has file system other than NTFS, you can still achieve it using boot floppy disk created by the program NTFSDos Pro. After booting from floppy, build up required NTFS-partition, and copy required files.

If you administer the net server based on the Windows 2000/XP system, then keep in mind that if your SAM file had been stolen, the wrecker will get not only your password but also all net users passwords (i.e. their Windows login passwords) because all these users have their accounts stored at your server.

As we said before, modern NT-systems use additional hashes encryption by Syskey utility. Up to recent time hashes from the SAM-file copied from these systems couldn't be decoded, because this algorithm is complex enough, it had never been published and almost not analyzed. Now using the SAMInside program we can extract hashes from SAM-files encoded by this algorithm. However to decode hashes the program will also need SYSTEM file located at the same folder where SAM-file was, because there are some registry keys necessary to decode hashes by the SYSKEY algorithm. This file is also available for the system only but, as we found before, we can copy this file the same way what we used to retrieve SAM-file.

Aforesaid leads to the following recommendations:

Recovery of Users Passwords

There are not too many such programs to recover Windows 2000/XP passwords on the PC software market, so ones are popular enough. These programs are: LC4 by @stake (http://www.atstake.com), Advanced NT Explorer by Elcomsoft (http://www.elcomsoft.com), and SAMInside utility by InsidePro Software (http://www.insidepro.com). Microsoft seems to not hurry to change authentication methods, so even Windows 2003 login passwords are recovered by the same utilities as well as version of the Syskey algorithm is the same.

MD4 and DES algorithms (used for the LM-hash and NT-hash forming) are considered to be irreversible; definitely, their convertibility still hadn't been proved mathematically. So direct extracting passwords from hashes using mathematical methods is impossible. The only way is to try passwords, to form hashes for these passwords and to compare these hashes with one that had been extracted from SAM-file. If hash matches, it means that latest tried password, which formed appropriate hash, was the sought one. So, to get password of the Administrator account, you need to get SAM-file and then try to recover password using forcing program.

Recovering passwords we encounter an issue unpleasant for users (and pleasant for crackers). As we remember LM-hash is being formed based on two 7-symbol "halves" of source 14-symbol password. So to recover 14-symbol password with N-symbol ABC you will need to try not N¹⁴ variants, but 2 * N⁷ variants, what is incomparably less! For example, trying to recover password "MARGARITA", using only Latins in the SAMInside program (for example), we will promptly find second part of the password - "TA", and then after a while - the first part - "MARGARI", because this program checks both halves simultaneously!

So, seemingly "difficult" 14-symbol password is being recovered from LM-hash as easy as two "simple" 7-symbol passwords. Moreover, forming LM-hash password is being shifted to capitals so hashes are the same for passwords "ADMIN", "Admin" and "admin"!

NT-hash is absolutely different. Password isn't being "broken" to halves and maximal password length is 128 symbols. Letters case is considered as well. So passwords mentioned above will have different NT-hashes!

Accordingly, to recover password composed by Latins, we need to use 52-symbol ABC (26 capitals and 26 smalls), not only 26 capitals as recovering password from LM-hash.

Important note: When password is longer than 14 symbols LM-hash forming is automatically disabled by Windows 2000/XP, so only NT-hash remains. As mentioned above, NT-hash recovering is way more difficult. LM-hash forming may be as well be disabled manually through the registry. Under Windows XP, for example, you shall create "NoLMHash" DWORD parameter with value 1 in the registry branch HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa.

So, keep in mind:

Certainly, there are other methods but full brute force attack, for example, hybrid attack, mask attack, and dictionary attack. These methods are more effective than full brute force attack and sometimes they let to find passwords much faster. So let's talk about the setting passwords which can hardly be recovered or can't be recovered at all.

Forming Secure Password

There's a common mistake opinion that long password is difficult password. Absolutely not! Is "12345678901234567890" password difficult? It can be typed in several seconds - nothing difficult. Or "administrator12345"? Or "qwertqwertqwertqwert"? Remember, that long password isn't necessarily difficult. Certainly, passwords above may be practically used but they are still attackable. But don't we want to make absolutely "bulletproof" password?

Let's check how many combinations will we need to try to attack all 7-symbol passwords using Latins only? You're right - 26⁷. And what if we add numbers? Then it will be 36⁷, that is appreciably more. So that's easy as is - more symbols from different character sets you include, more difficult it will be for crackers to recover your password, as brute forcing will demand forming character set which includes all symbols. It's easy to calculate that brute-force attack of all 7-symbol passwords which contain capital Latins (26 symbols), numbers (10 symbols), special symbols !@#$%... (32 symbols) and space - 69 symbols - with speed of 5 millions passwords per second will take... about 17 days. And what if the password has more than 7 symbols - 10, 14, 20... You see, such great time cost will hardly satisfy any wrecker.

That's why they usually constrict character set to recover password. But we have another aim - to complicate recovery of our password! So we have to use more symbols from different sets - because cracker doesn't know the password!

For example, adding to password "12345678901234567890" symbol '?' on left or right side will appreciably complicate its recovery (even if cracker knows that password contains numbers and a special symbol, he still will need to try character set of not 10 symbol, but 10+32, i.e. numbers + special symbols). What if we add spaces? Or several letters? Or letters of different register (as we remember, letter case does matter for NT-hash forming)? Believe me, this password can't be recovered in any affordable time period.

One more key rule:

You shall also keep in mind, that one of the most popular methods of password recovery is dictionary attack (checked passwords are frequently used words, words combinations, keys combinations, etc.) which is easily mocked by adding symbols from other character sets. Really, password "MASTER" will easily be recovered with usual dictionary, but it will be impossible to recover password "$MASTER$" by this method.

You may say that it's possible to use short password which contains different symbols as "F#1_$", but it's more difficult to remember these passwords than any memorable word or numbers combination with addition of several "less-common" symbols. For example, if your "favorite" password is "123456", then typed it on the keyboard, press several times key '`' (on the left of key '1') alternately clicking key Shift, and you will get password "123456~`~`~`~`~`". Nothing difficult to remember! It's easy to remember and to type in, but its recovery is very hard even if wrecker has whole net at one's disposal, not only one computer. Theoretically, breaker may accidentally find the same symbols combination. But actual possibility of that is hardly more than the possibility of guess, so we exclude such variant.

But even this password isn't ideal, because it contains repeated symbols - i.e. for 16 symbols of the password, length of alphabet which we use to recover this password is 8 symbols, what is appreciably less than 16. So the best password is what one which has no repeating symbols.

Probably coming Windows - Longhorn will make advance in the passwords security. As for now the only way for Windows 2000/XP user is to rely on self, and the solution is in creating login passwords which will turn to be tough to the most powerful passwords searcher.

So here is closing tip on passwords forming:

Windows 2000/XP Built-in Safety

By no means, one of the most important tools of workstation protection under Windows 2000/XP are "Local security policies", recalled from the "Administrator Tools" applet on the Control panel.

Prefer this tool to set the most of security features than registry or tweakers; such features include clearing swap file before logging off, or limitation of minimal length of the passwords.

Don't be lazy, look through the safety settings list and you will find a lot of interesting things.

Networking Security

If the computer under the Windows 2000/XP is connected to the net, it will certainly become assailable by net attacks too. So there are some tips for working in the net.

Even if you don't share your directories, you may note that there are so called "administrative" resources in the system, for example, 'C$', 'D$', 'E$', etc., and 'Admin$', and 'IPC$'. They are designed for administering of the remote computer. Even if you delete them they will appear again at next login. To prohibit creating of these files set REG_DWORD "AutoShareServer" (for server) or "AutoShareWks" (for the work station) parameter in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ LanmanServer\Parameters registry branch value to "0". This method, however, won't restrict creating of the IPC$ resource; it can be fixed with command file (BAT or CMD) containing:
        net share ipc$ /delete
and put this file to Autorun (by the way, you may also delete other resources containing resources with '$' character).

Let's now talk about frequent case of connection passwords interception. You see, these passwords are often the same as Windows login passwords, so catching them is almost the same as stealing SAM-file and recovering passwords from the file.

Further we will examine so called protected NT challenge/response (NTLM) authentication, with the following log in procedure (if net is controlled by server):

1. Computer sends authentication request to the server.
2. Server generates random 8-byte sequence (so called "Challenge") and sends it back to computer.
3. Computer, using received Challenge and password entered by user, generates LanMan hash (if LanMan hash forming is switched off, NT-hash is being generated) using hashing functions. The hash length is 24 bytes already.
4. Computer sends result hash to server.
5. Server in its turn generates hash using the same login data (password stored on server and Challenge, which is the same at the same session for server and client).
6. Then server compares both hashes and gives back the authentication results.

This scheme excludes sending of unencrypted password. But passwords still may be restored from these hashes. Hashes interception may be performed from any connected computer under any OS through programs LC4, PacketCatch, WinSniffer, NTSniffer and other "sniffers", i.e. programs analyzing net traffic. To recover passwords from these hashes LC4 and PacketInside programs are used.

Here are the rules to protect self from net interception:

Applications Security

Certainly, Windows safety depends on not only the OS but also on programs used. No Windows built-in safeties will help, if you, for example, catch Trojan or perform unapproved harmful code through the Internet Explorer vulnerability.

So let us repeat the same but still viable recommendations:

Conclusion

Microsoft corporation by no means, does perform scheduled safety improvement policy for their software products, but user is still the most important element when it comes to configuring the most protected computer under Windows 2000/XP systems. So the computer safety is fully relied on administrator or user with administrator rights. Practice of administering the computers under the NT-systems shows that properly configured workstation under Windows 2000/XP is no less fail-safe and protected than under Linux system.

Assuredly, the matter of the Windows 2000/XP security is protean and involves a lot of tends and features, so detailed description of them would take more than a book, but we recommend any user to examine the system you work with, keep up on latest computer security news and always work to improve your user qualification. Then working with the computer will bring rather pleasure than hardships.