This article discusses the security of the offline Security Accounts Manager (SAM) and the accounts in it.
Windows 2000 Domain Controllers store domain user accounts, group memberships and other objects in the Active Directory. The Windows 2000 Backup tool and other third-party backup programs can back up jet-based Active Directory on an online Windows 2000 domain controller.
System maintenance and restoring the Active Directory can only be performed by placing the Active Directory "offline" or in "Directory Services Restore" mode. Directory Services Restore mode, which uses a registry-based SAM accounts database to store the administrator account and other built-in users and groups, represents a different security context than the Active Directory.
Registry Based SAM Creation
Microsoft Windows NT version 4.0 and earlier store user accounts, machine accounts, and group information in a registry-based SAM. When you upgrade a Windows NT 4.0 primary domain controller (PDC) to Windows 2000, DCPROMO starts at the end of Windows 2000 Setup. Accounts in the SAM are migrated to the jet-based Active Directory. A new registry-based SAM containing the "offline" administrator account (and other built-in accounts needed to recover Windows 2000 domain controllers) is created. Accounts in the registry-based SAM are available only in Directory Services Restore mode by pressing F8 in the early part of the boot process. The registry based SAM is stored in the %SYSTEMROOT%\SYSTEM32\CONFIG folder.
For new Windows 2000 domains, the active directory database is built and populated with a default set of users and groups. The same Windows NT version 4.0 type of registry-based SAM found in the Windows NT upgrade scenario is created in the %SYSTEMROOT%\SYSTEM32\CONFIG folder.
Securing the Offline SAM
The methods of protecting the offline SAM are identical to the methods used in Windows NT 4.0. Administrators looking to secure the offline SAM may consider the following:
Maintain a different password for the administrator in the DS and the administrator account in the offline SAM. As a matter of policy, the password for the administrator account in the Active Directory should be different than the offline administrator account.
The online and offline passwords will become different with the first password change of the Active Directory administrator account.
Evaluate the risk, and then develop a password-changing policy for critical accounts like the offline and Active Directory-based administrator account using strong password guidelines.
The offline SAM is not accessible programmatically when a Windows 2000-based domain controller is running in active directory mode. To implement a strong password change policy for the offline administrator account:
Start the Windows 2000 domain controller into Directory Services Restore mode.
Change the password for the account or accounts.
Start in Active Directory mode.
The effective system-up time for the server becomes the password change interval for the offline administrator account.
Enable auditing of the SAM file located in the %WINDIR%\SYSTEM32\CONFIG folder. Any use other than a system backup or virus scan should be investigated.
NOTE: Do not follow the steps outlined in the following articles in the Microsoft Knowledge Base:
184017 Administrators Can Display Contents of Service Account Passwords
143475 Windows NT System Key Permits Strong Encryption of the SAM
Physical security for computers, emergency repair disks and tape backup media is a critical component in creating any secure environment.
Administrators may experience more loss of service when unable to produce the password for the offline administrator account than to attacks against the offline SAM. Define an internal process for storing and retrieving offline administrator passwords that does not compromise security but makes passwords available for system maintenance and recovery. Consider that servers are typically rebuilt during off-peak hours months or even years after the original installation of the operating system.
You may remotely change the password for the offline same by using Windows NT Terminal Server in remote administration mode and toggling the Boot.ini switch between starting the computer in Offline Restore mode and Active Directory mode.
SETPWD.exe, which is included in Windows 2000 Service Pack 2, and the "Set DSRM Password" command in the .NET Server version of NTDSUTIL.exe allowadministrators to change the DS Restore administrator password on a domain controller while the Directory service is online.