Protection of the Administrator Account in the Offline SAM

ID: Q223301

The information in this article applies to:
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Datacenter Server

SUMMARY

This article discusses the security of the offline Security Accounts Manager (SAM) and the accounts in it.

Windows 2000 Domain Controllers store domain user accounts, group memberships and other objects in the Active Directory. The Windows 2000 Backup tool and other third-party backup programs can back up jet-based Active Directory on an online Windows 2000 domain controller.

System maintenance and restoring the Active Directory can only be performed by placing the Active Directory "offline" or in "Directory Services Restore" mode. Directory Services Restore mode, which uses a registry-based SAM accounts database to store the administrator account and other built-in users and groups, represents a different security context than the Active Directory.


MORE INFORMATION

Registry Based SAM Creation

Microsoft Windows NT version 4.0 and earlier store user accounts, machine accounts, and group information in a registry-based SAM. When you upgrade a Windows NT 4.0 primary domain controller (PDC) to Windows 2000, DCPROMO starts at the end of Windows 2000 Setup. Accounts in the SAM are migrated to the jet-based Active Directory. A new registry-based SAM containing the "offline" administrator account (and other built-in accounts needed to recover Windows 2000 domain controllers) is created. Accounts in the registry-based SAM are availabile only in Directory Services Restore mode by pressing F8 in the early part of the boot process. The registry based SAM is stored in the %SYSTEMROOT%\SYSTEM32\CONFIG folder.

For new Windows 2000 domains, the active directory database is built and populated with a default set of users and groups. The same Windows NT version 4.0 type of registry-based SAM found in the Windows NT uprade scenario is created in the %SYSTEMROOT%\SYSTEM32\CONFIG folder.

Securing the Offline SAM

The methods of protecting the offline SAM are identical to the methods used in Windows NT 4.0. Administrators looking to secure the offline SAM may consider the following:

  1. Maintain a different password for the administrator in the DS and the administrator account in the offline SAM. As a matter of policy, the password for the administrator account in the Active Directory should be different than the offline administrator account.

    The online and offline passwords will become different with the first password change of the Active Directory administrator account.


  2. Evaluate the risk, and then develop a password-changing policy for critical accounts like the offline and Active Directory-based administrator account using strong password guidelines.


  3. The offline SAM is not accessible programatically when a Windows 2000-based domain controller is running in active directory mode. To implement a strong password change policy for the offline administrator account:

    1. Start the Windows 2000 domain controller into Directory Services Restore mode.


    2. Change the password for the account or accounts.


    3. Start in Active Directory mode.


    The effective system-up time for the server becomes the password change interval for the offline administrator account.


  4. Enable auditing of the SAM file located in the %WINDIR%\SYSTEM32\CONFIG folder. Any use other than a system backup or virus scan should be investigated.

    NOTE: Do not follow the steps outlined in the following articles in the Microsoft Knowledge Base:

    Q184017 Administrators Can Display Contents of Service Account Passwords
    Q143475 Windows NT System Key Permits Strong Encryption of the SAM


  5. Physical security for computers, emergency repair disks and tape backup media is a critical component in creating any secure environment.



Administrators may experience more loss of service when unable to produce the password for the offline administrator account than to attacks against the offline SAM. Define an internal process for storing and retrieving offline administrator passwords that does not compromise security but makes passwords available for system maintenence and recovery. Consider that servers are typically rebuilt duing off-peak hours months or even years after the original installation of the operating system.

You may remotely change the password for the offline same by using Windows NT Terminal Server in remote administration mode and toggling the Boot.ini switch between starting the computer in Offline Restore mode and Active Directory mode.

Additional query words: 2000 4.00

Keywords : kbtool
Version : WINDOWS:2000
Platform : WINDOWS
Issue type : kbinfo


Last Reviewed: January 31, 2000
© 2000 Microsoft Corporation. All rights reserved. Terms of Use.