T 5.79 Unauthorised acquisition of administrator rights under Windows systems

A local administrator account is created in every standard installation of a Windows NT-based system. This applies to the client versions as well as the server versions. In contrast to accounts created by users, this local, predefined administrator account cannot be deleted nor locked in Windows NT and Windows 2000. This is to prevent the administrator from being locked out deliberately or accidentally (and therefore make administration impossible). One problem in this regard is that the predefined administrator account cannot be locked even when the number of invalid attempts to enter the password before locking the account, which is specified in the account policy, is exceeded. Without corresponding countermeasures, this permits an attacker to try out any number of passwords using special programmes. It only became possible to deactivate the predefined administrator account under Windows XP and Windows Server 2003 and higher. In Windows Vista and higher, this account is deactivated by default in a standard installation. However, it is still impossible to delete this account.

There are other ways of obtaining a password assigned to an administrator account for the purpose of acquiring administrator privileges. For example, if a Windows NT-based computer is administered remotely, then there is a risk that the login password entered during the authentication process will be transmitted in plain text (depending on the authentication procedure used) and allow an attacker to record the password. Windows Vista and Server 2008 already provide IPsec support with standard installations, but the encryption still must be configured and activated. Even if the system has been configured so that login passwords are only transmitted in encrypted form, it is still possible for an attacker to record the encrypted password and decrypt it with the help of appropriate software. This applies to Windows NT in particular when the older NTLM procedure is used. The default procedure used in Windows 2000 and later Windows versions operated in a domain environment is Kerberos, which provides more robust protection against such attacks.

Furthermore, every password on a Windows XP and Windows Server 2003 system is stored in encrypted form in the registry and in a file stored in the %Systemroot%\System32\Repair or %Systemroot%/Repair directory on emergency repair disks (and possibly on tape backups). If an attacker is able to obtain this file, then he could try to decrypt the necessary password with the help of appropriate software. The Windows versions Vista and Server 2008 and higher do not have a Repair directory any more.

It is possible using special malware for an attacker logged locally into a Windows NT computer to add an arbitrary user account to the Administrators group, and therefore grant administrator rights to the owner of this account.

Other examples of attacks to obtain administration privileges without authorisation include the following:

• It is also possible to extend privileges (referred to as privilege escalation) by exploiting vulnerabilities in programmes or services that run with administrative or system privileges.
• Technical attacks can be used in combination with social engineering methods. For example, the local system with normal user privileges could be manipulated, and a key logger can be installed. If an attacker gets an administrator to log in, the key logger will record the administrators user name and password.
• Passwords could be overwritten using a different boot medium (e.g. a diskette/CD-ROM/USB storage device).