Microsoft Windows password bug


   I’ve been browsing the web the other day and stumbled upon an online workshop hosted by Microsoft. The presenter Paula Januszkiewicz, which is a Security Auditor, spoke about a Windows bug from which malicious users can gain access to Administrators passwords. I don’t know how many of you folks use AD users to run services on machines. I think that usually System Administrators use Active Directory accounts to log on services on both Servers and Desktops. Almost every task must be run by a certain user with the right permissions. Even if you run a script, execute a piece of code, create a schedule task, run a service, etc., every time you have to provide the user which has the rights to take that particular action. I will talk about creating and managing services using AD accounts. In many enterprises, important services are run under the Administrator account because such user can provide full access over a particular machine. Windows offers you a couple of different options regarding how a service account can log on. This can be done by using one of the following options:

 

– use a Local System account. If you also select the Allow service to interact with desktop, anything displayed on the desktop by the service account will also be displayed on the user’s desktop.
– use a Local Service account. Click This account, and then type NT AUTHORITY\LocalService.
– a Network Service account. Click This account, and then type NT AUTHORITY\NetworkService.

– specify another user that would be used by the service to log on by selecting This account and then entering the desired account.

Microsoft Service log on as options
 
   To show you this Windows bug I will now create a random service that uses the Administrator’s account to log on. To achieve this, you can either use the sc command available in command prompt or my favorite, the New-Service cmdlet from Powershell. I will show you how to configure a new service using this cmdlet:
New-service Powershell
The new service has been configured and the Administrator account is used by it. Let’s verify our newly configured service by checking the Services console:
Services Console
Until seeing this video, I didn’t know that username’s passwords used by services are stored locally in clear text!. A tool was developed called SAPD, which uncovers the user’s passwords used by Windows services. I will crate a new Psexec session to show you how to use this tool. Let’s type the following:
On the newly opened cmd, type whoami to see with what user you are currently logged on. Search on Google for the SAPD tool (I don’t know if I’m allowed to give you this tool). After downloading SAPD, go to it’s location and execute the following:
SAPD tool
As you can see, I have uncovered the password for the Administrator account.
   Imagine what damage could a hacker do to your enterprise if he is able to find out your Administrator’s password. If anyone could establish a remote session and run this tool on any machine, the whole network security could be compromised. To counter this Windows problem you should use group managed service accounts available in Windows Service 2012. I will not talk about this feature now, perhaps in the future.
   That’s it for this short article folks, I hope you’ve learnt something new from it. I know it’s a little disturbing but all things made by humans are not perfect. In the future, maybe Microsoft will take care of this issue. Meanwhile, enjoy IT training day and have a wonderful day.
Advertisements

One thought on “Microsoft Windows password bug

  1. thats great..I have been surfing online greater than 3 hours these days, but I never found any fascinating article like yours. It’s beautiful value sufficient for me. In my view, if all webmasters and bloggers made just right content as you probably did, the net will be much more helpful than ever before.

    Like

    Reply

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s