Anyone knows that losing a password is a horrible feeling. Even more-so when it is for a server. In this tutorial video I step you through the process of recovering the local administrator password on a Server 2008 R2 system. A process that can be completed in under a minute, saving you both time and money. I finish the article by discussing a multitude of deterrents, so someone doesn’t do this to you.
PassWare WinKey Enterprise: Product Page | Shopping Cart
This software can be used with all editions of Windows Server up to 2008 R2 (no official support for 2012 yet). It can also be used with every client operating system up to Windows 8.1.
Additional product information and pricing can be obtained from the links below. The Enterprise Edition is required to crack Server passwords. The Standard and Pro versions only crack the client operating systems.
PassWare WinKey Enterprise: Product Page | Shopping Cart
Are you protected?
‘Hmm, this is all well and good’, you might say, ‘But how do I prevent someone from breaking into my servers?’
Over a decade ago the answer was always, ensure that your servers are physically secure. Now with out-of-band management options and virtualization, that attack platform has grown significantly.
Physically Unfit
First let’s cover the physical aspects. Here are some common questions to ask yourself.
Is your server in a locked room?
I have seen a lot of servers left out in the middle of an office setting, under someone’s desk, or, tucked next to the cubicle plant. A dedicated space not only provides the adequate cooling and power, but also the necessary security. Hollywood often paints this picture that data is stolen through the firewall by some teenager wanting to play Global Thermonuclear War. Often overlooked is the disgruntled employee, or, some guy claiming to be from your I.T. department. So server rooms are important.
Who can access the server room?
A server room is only secure as its weakest point. There are a lot of server rooms out their that have been left unlocked. I have met them.
An unlocked server room cannot be controlled. So you need to find a way to control access. Traditional key locks are okay. But it doesn’t take much to get these duplicated at your local hardware store. Nor, does it give you any form of reporting as to who is using those keys.
Key card systems are better as they are generally not easy to duplicate. Often the readers can report back whose card has been used and on what time or day. But cards can be lost or stolen.
Biometrics are a better option as fingerprints cannot be forged (well except in spy movies). I would hope that fingers and thumbs are not misplaced or stolen.
Like any security mechanism, a multi-tiered approach can definitely help.
How is the server room constructed?
Biometrics might control your door access. But if your server room is constructed out of drywall, windows, or has a common drop ceiling or crawlspace with the rest of the office, that door access control might turn into an easy obstacle.
Piggybacking might also be an issue. This is where someone without access follows someone with access into the server room. At this point locked racks are the best option. Locked racks can also work in a shared office space where a dedicated room is not possible. A locked rack is a great deterrent.
Are the servers locked?
A lockable bezel is another great option. The plastic bezels seem like they could be broken. A server with a metal front plate is a bonus. But we need to see what that bezel prevents access to.
A decade ago it was quite common place to see an opening on a server for a tape slot. That is nice and convenient but it doesn’t lend itself to security. Many data breaches occur due to lost backup tapes.
Hopefully, your server’s front panel covers up everything, including the power button, optical drive and USB ports. In my video I was using a CD to boot into WinKey. But they also have a USB stick option. So, if I can force your server to restart and get a USB key plugged in, your server is hacked.
That brings us to the rear of the server. Lots of USB ports back there. And pulling the power cord will force a reboot. The only real option at this point is a lockable back door on a rack.
Is their local console access?
If you have a KVM switch that requires password entry then that is just one more deterrent. Restricting access to the video and USB ports on the back of the server is a must though as technically a hacker could bypass your KVM.
Out of (elastic) band
Out of band management has become quite prevalent as it has matured. Products such as HP iLO (Integrated Lights Out) and Dell RAC (Remote Access Controller) allows administrators to have remote access to a server as if they were sitting right next to the console.
Administrators can power on the server, or, hard boot them. Administrators can even mount virtual CDs/DVDs and remote boot the servers from an ISO image. This creates a whole new challenge as it basically extends the physical attack surface out onto the network.
This opens a whole new set of questions.
Are you using complex passwords?
Hopefully, there is a policy already in your network for privileged accounts. You need to make your out-of-band access accounts contain as many characters as possible. It is likely you will only need to use these tools when troubleshooting an unresponsive server, or, performing remote deployment. So a password with 13+ characters shouldn’t be too cumbersome. Also, you need to make sure you are using a combination of uppers, lowers, numbers and special characters.
Is access restricted?
Sometimes a server comes with a shared out-of-band management port with a buy-up option to a dedicated port. I would always recommend getting the dedicated port. This makes it easier to then plug that port into its own dedicated management network or VLAN. From their you can then control access onto that management network with access control lists.
Virtual Reality
Another extension of the physical attack plane is virtualization. With more and more servers being virtualized this problem is only becoming more of a challenge.
The big question here is:
Who has access to your Hypervisor?
If a user has access to your Hypervisor, then they can possibly power cycle servers, mount CDs and more. When granting someone access to your virtual infrastructure, practice the rule of least privilege. Only give them the absolute minimum permissions required to perform their job. As mentioned already, complex passwords are important here once again. An expiration and lockout policy helps too.
I hope this article has been of great help to you. These are the more common areas to lock down. As many of you know, the realm of I.T. security is boundless. As always, would love to hear your feedback. Especially on measures you have taken yourself to secure your servers.
Leave a Reply