So, we thought it would be awesome to do a quick follow up to our previous video titled: Password Crack Windows Server 2008 R2 in under a minute!
In the previous video, we password cracked the Local Administrator account. Well, we decided to take it one step further.
In this video, we will be password cracking the built-in Domain Admin account. Scary huh?
We will be doing this on a Server 2008 R2 domain controller. The forest and domain functional levels will also be on 2008 R2.
If you are interested in learning more about the product check the links below. It is a very powerful product and is always my go-to solution when this situation arises.
Disclaimer: I need to point out that I am not sponsored by Passware in any way. However, this document does contain some affiliate links.
Are you protected?
This is a very good question to ask yourself. The same points we covered in our previous article still apply here. Let’s review.
First, let’s cover the physical aspects. Here are some common questions to ask yourself.
Is your server in a locked room?
I have seen a lot of servers left out in the middle of an office setting, under someone’s desk, or, tucked next to the cubicle plant. A dedicated space not only provides adequate cooling and power but also the necessary security. Hollywood often paints this picture that data is stolen through the firewall by some teenager wanting to play Global Thermonuclear War. Often overlooked is the disgruntled employee, or, some guy claiming to be from your I.T. department. So server rooms are important.
Who can access the server room?
A server room is only secure as its weakest point. There are a lot of server rooms out there that have been left unlocked. I have met them.
An unlocked server room cannot be controlled. So you need to find a way to control access. Traditional key locks are okay. But it doesn’t take much to get these duplicated at your local hardware store. Nor, does it give you any form of reporting as to who is using those keys.
Key card systems are better as they are generally not easy to duplicate. Often the readers can report back whose card has been used and on what time or day. But cards can be lost or stolen.
Biometrics is a better option as fingerprints cannot be forged (well except in spy movies). I would hope that fingers and thumbs are not misplaced or stolen.
Like any security mechanism, a multi-tiered approach can definitely help.
How is the server room constructed?
Biometrics might control your door access. But if your server room is constructed out of drywall, windows, or has a common drop ceiling or crawlspace with the rest of the office, that door access control might turn into an easy obstacle.
Piggybacking might also be an issue. This is where someone without access follows someone with access to the server room. At this point, locked racks are the best option. Locked racks can also work in a shared office space where a dedicated room is not possible. A locked rack is a great deterrent.
Are the servers locked?
A lockable bezel is another great option. The plastic bezels seem like they could be broken. A server with a metal front plate is a bonus. But we need to see what that bezel prevents access to.
A decade ago it was quite commonplace to see an opening on a server for a tape slot. That is nice and convenient but it doesn’t lend itself to security. Many data breaches occur due to lost backup tapes.
Hopefully, your server’s front panel covers everything, including the power button, optical drive, and USB ports. In my video, I was using a CD to boot into WinKey. But they also have a USB stick option. So, if I can force your server to restart and get a USB key plugged in, your server is hacked.
That brings us to the rear of the server. Lots of USB ports back there. And pulling the power cord will force a reboot. The only real option at this point is a lockable back door on a rack.
Is their local console access?
If you have a KVM switch that requires password entry then that is just one more deterrent. Restricting access to the video and USB ports on the back of the server is a must though as technically a hacker could bypass your KVM.
Out of (elastic) band
Out of band management has become quite prevalent as it has matured. Products such as HP iLO (Integrated Lights Out) and Dell RAC (Remote Access Controller) allows administrators to have remote access to a server as if they were sitting right next to the console.
Administrators can power on the server, or, hard boot them. Administrators can even mount virtual CDs/DVDs and remote boot the servers from an ISO image. This creates a whole new challenge as it basically extends the physical attack surface out onto the network.
This opens a whole new set of questions.
Are you using complex passwords?
Hopefully, there is a policy already in your network for privileged accounts. You need to make your out-of-band access accounts contain as many characters as possible. It is likely you will only need to use these tools when troubleshooting an unresponsive server, or, performing the remote deployment. So a password with 13+ characters shouldn’t be too cumbersome. Also, you need to make sure you are using a combination of uppers, lowers, numbers and special characters.
Is access restricted?
Sometimes a server comes with a shared out-of-band management port with a buy-up option to a dedicated port. I would always recommend getting a dedicated port. This makes it easier to then plug that port into its own dedicated management network or VLAN. From there you can then control access onto that management network with access control lists.
Another extension of the physical attack plane is virtualization. With more and more servers being virtualized this problem is only becoming more of a challenge.
The big question here is:
Who has access to your Hypervisor?
If a user has access to your Hypervisor, then they can possibly power cycle servers, mount CDs and more. When granting someone access to your virtual infrastructure, practice the rule of least privilege. Only give them the absolute minimum permissions required to perform their job. As mentioned already, complex passwords are important here once again. An expiration and lockout policy helps too.
I hope this article has been of great help to you. These are the more common areas to lockdown. As many of you know, the realm of I.T. security is boundless and evolving. As always, I would love to hear your feedback. Especially on measures you have taken yourself to secure your servers.