I’ve been browsing the web the other day and stumbled upon an online workshop hosted by Microsoft. The presenter Paula Januszkiewicz, which is a Security Auditor, spoke about a Windows bug from which malicious users can gain access to Administrators passwords. I don’t know how many of you folks use AD users to run services on machines. I think that usually System Administrators use Active Directory accounts to log on services on both Servers and Desktops. Almost every task must be run by a certain user with the right permissions. Even if you run a script, execute a piece of code, create a schedule task, run a service, etc., every time you have to provide the user which has the rights to take that particular action. I will talk about creating and managing services using AD accounts. In many enterprises, important services are run under the Administrator account because such user can provide full access over a particular machine. Windows offers you a couple of different options regarding how a service account can log on. This can be done by using one of the following options:
– use a Local System account. If you also select the Allow service to interact with desktop, anything displayed on the desktop by the service account will also be displayed on the user’s desktop.
– use a Local Service account. Click This account, and then type NT AUTHORITY\LocalService.
– a Network Service account. Click This account, and then type NT AUTHORITY\NetworkService.
– specify another user that would be used by the service to log on by selecting This account and then entering the desired account.
To show you this Windows bug I will now create a random service that uses the Administrator’s account to log on. To achieve this, you can either use the sc command available in command prompt or my favorite, the New-Service cmdlet from Powershell. I will show you how to configure a new service using this cmdlet:
The new service has been configured and the Administrator account is used by it. Let’s verify our newly configured service by checking the Services console:
Until seeing this video, I didn’t know that username’s passwords used by services are stored locally in clear text!. A tool was developed called SAPD, which uncovers the user’s passwords used by Windows services. I will crate a new Psexec session to show you how to use this tool. Let’s type the following:
On the newly opened cmd, type whoami to see with what user you are currently logged on. Search on Google for the SAPD tool (I don’t know if I’m allowed to give you this tool). After downloading SAPD, go to it’s location and execute the following:
As you can see, I have uncovered the password for the Administrator account.
Imagine what damage could a hacker do to your enterprise if he is able to find out your Administrator’s password. If anyone could establish a remote session and run this tool on any machine, the whole network security could be compromised. To counter this Windows problem you should use group managed service accounts available in Windows Service 2012. I will not talk about this feature now, perhaps in the future.
That’s it for this short article folks, I hope you’ve learnt something new from it. I know it’s a little disturbing but all things made by humans are not perfect. In the future, maybe Microsoft will take care of this issue. Meanwhile, enjoy IT training day and have a wonderful day.