Friday, February 29, 2008

More thoughts on Admin Passwords

OK, I'm also changing this in the original post, but in case you don't think to go back and check.
When I sent my admin password solution to a buddy at MS, he tried it and it didn't work. After a fairly short discovery, I discovered that it worked for me because I had a drive mapped to the admin share on my DC. So PSExec was using that IPC to connect. So unless you're lucky enough to have something like that, you prob won't be able to use this solution. However, it's a good backdoor so it may be a good idea just to setup a mapped share on your box anyway just in case something happens and you get shut out of your DC.

On that note. This is a really excellent reason why you never want to run SQL under an admin acount and especially not under a domain admin acct. I've seen that more than I care to and it always comes out bad eventually. It only takes a very basic knowledge of SQL to discover that someone with regular user rights can setup a SQL job to promote their user acct to admin because the job will run under the context of the agent acct at the OS level. And if you're running your services under an admin acct they'll have full rights to do whatever they like. And if you're running it under a domain admin acct, then they can promote themselves to domain admin pretty easily by running a .vbs or prob even powershell. Pretty much any scripting language will prob do, huh...
And that goes for running SQL on a DC under local system. That's the same as domain admin as far as the DC is concerned. So be smart and run your SQL accts with non-admin accts and just remove that from the equation. There are enough ways for internal and external hackers to elevate rights. Don't help them.
Thursday, February 21, 2008

Reset Domain Admin Account

Last week I somehow forgot the domain admin acct in my lab. I tried for 3 days to remember it and I finally came to the realization that I just wasn't going to. So I started looking around on the web for different things I could do. I wasn't really in a hurry cause my domain was running just fine.

I found many methods for changing the local admin acct, but not many for changing the domain admin acct in a windows 2003 domain controller. I did find this method here.

Anyway, I checked with an SE friend of mine on the windows support team at MS and he said that was a good method and told me to run with that one. Not that I minded, but I just didn't want to bring down my DC and take the time to copy all that stuff to floppy, etc. So I kept looking.

I finally had an idea that I just had to share with everybody. It's so simple it's scary.
I used the SysInternals tool psexec.exe. What it does is run programs remotely on the box of your choosing. The problem of course, is that you have to make an admin connection to that box, and if you could do that, you wouldn't have to use psexec to reset the password. So I looked at the help file for psexec and found a parameter that just amazed me. -s is its name.
What that does is tells psexec to connect with the local system acct of the remote box. And since the local system acct has full admin rights, you have the rights you need to change the admin password.

So at a command prompt go to the dir where you have psexec and type the following command:
psexec.exe -s \\machinename cmd
That tells you to bring up a command shell on the remote box and log in as the machine's local system acct. So now you've got a shell open on your box just like you were standing in front of the console on the remote box. Now you just type the command for changing the admin password: net user administrator newpassword

That's it. It's simple, elegant, beautiful, and it really saved my ass.
I hope this helps someone else.

Just for grins, here's a Camtasia I made of the process just to make it even easier. Click here

Here's an update to my original post. I sent this solution to a friend at MS and he found that it didn't work for him. After a little investigation, I discovered that it worked for me because I had the admin share on my DC mapped on my box and PSExec was using that IPC. You can read more about that here.
Wednesday, February 20, 2008

Good Times

Wow... I really don't get a chance to write in this blog very often because my company has been blocking the address. For some reason though, they just opened it up so I'll be writing here a lot more. So lookout, I'm back.

About Me

My Photo
Sean McCown
I am a Contributing Editor for InfoWorld Magazine, and a frequent contributor to as well as I live with my wife and 3 kids, and have practiced and taught Kenpo for 22yrs now.
View my complete profile


Blogumulus by Roy Tanck and Amanda Fazani

Page Views