Jorge's Quest For Knowledge!

All You Need To Know About Identity And Security On-Premises And In The Cloud. It's Just Like An Addiction, The More You Have, The More You Want To Have!

(2010-06-13) Logging On With The DSRM Administrator Account

Posted by Jorge on 2010-06-13


In all Windows versions until now, every DC has two account stores. The first is of course Active Directory, which is a distributed account store across all DCs and stored locally in the NTDS.DIT file. The second is the local Security Accounts Manager (SAM), which is also available on every DC but is not distributed. Hence the word ‘local’.

In W2K and W2K3, AD is only accessible when the DC was started in normal mode and in that same mode you can only log on with domain accounts assuming the directory service is up-and-running and available locally. For the same OS’es, the SAM was only available when the DC was started in the Directory Services Restore Mode, a.k.a. DSRM, and in that same mode you can only log on with local accounts stored in that SAM.

With W2K8(R2) a few things changed to what is said above. It is still true with regards to the number of account stores and whether they are locally or distributed. The thing that really changed is which accounts can be used to log to a DC, when and under what conditions.

In both W2K8 and W2K8(R2) (and later versions, most likely) the following is true by default:

  • In Directory Services Restore Mode
    • Ability to log on with the DSRM Administrator Account [1]
    • Ability to log on with a domain account assuming another DC is available and that domain account has the ‘Allow Logon Locally’ user right
  • In Normal Mode
    • Not possible to log on with the DSRM Administrator Account [1]
    • Ability to log on with a domain account assuming the directory service is up-and-running and available locally and that domain account has the ‘Allow Logon Locally’ user right
    • Ability to still log on with a domain account when the directory service is not up-and-running and not available locally (in other words: stopped) and assuming another DC is available and that domain account has the ‘Allow Logon Locally’ user right

[1] This behavior can be changed to the following:

  • DSRM Administrator Account can only log on when in Directory Services Restore Mode (DSRM) (DEFAULT BEHAVIOR)
  • DSRM Administrator Account can log on when in Directory Services Restore Mode (DSRM) and when the Directory Service is not up-and-running and not available locally (in other words: stopped)
  • DSRM Administrator Account can log on anytime

To achieve one of the three behaviors mentioned above the registry needs to be configured in the following ways:

  • DSRM Administrator Account can only log on when in Directory Services Restore Mode (DSRM) (DEFAULT BEHAVIOR)
    • Registry Path: HKLM\System\CurrentControlSet\Control\Lsa
    • Data Name: DsrmAdminLogonBehavior
    • Data Type: REG_DWORD
    • Data Value: 0
    • Scripted Configuration: REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v DsrmAdminLogonBehavior /t REG_DWORD /d 0 /F
  • DSRM Administrator Account can log on when in Directory Services Restore Mode (DSRM) and when the Directory Service is not up-and-running and not available locally (in other words: stopped)
    • Registry Path: HKLM\System\CurrentControlSet\Control\Lsa
    • Data Name: DsrmAdminLogonBehavior
    • Data Type: REG_DWORD
    • Data Value: 1
    • Scripted Configuration: REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v DsrmAdminLogonBehavior /t REG_DWORD /d 1 /F
  • DSRM Administrator Account can log on anytime
    • Registry Path: HKLM\System\CurrentControlSet\Control\Lsa
    • Data Name: DsrmAdminLogonBehavior
    • Data Type: REG_DWORD
    • Data Value: 2
    • Scripted Configuration: REG ADD "HKLM\System\CurrentControlSet\Control\Lsa" /v DsrmAdminLogonBehavior /t REG_DWORD /d 2 /F

This is available for both W2K8(R2) RWDCs/RODCs

Cheers,
Jorge
———————————————————————————————
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always evaluate/test yourself before using/implementing this!
* DISCLAIMER:
https://jorgequestforknowledge.wordpress.com/disclaimer/
———————————————————————————————
############### Jorge’s Quest For Knowledge #############
#########
http://JorgeQuestForKnowledge.wordpress.com/ ########
———————————————————————————————

4 Responses to “(2010-06-13) Logging On With The DSRM Administrator Account”

  1. Great article!

    But what about protecting local SAM? I.e. protecting it from tools included in Hiren’s boot CD (Active password changer for example)
    Yes, the short answer is “physically protected room”, but if the client doesn’t have one?

    Regards,
    Petar

  2. Jorge said

    Anyone having physical access to a DC, can compromise that DC including the complete AD forest!!! Remember, the security boundary is the AD forest!. With regards to physical access do not only need to protect the local SAM, but also the NTDS.DIT file which stores all the info of the AD domain the DC is in, including the password of ALL accounts in that AD domain. This assumes we are talking about an RWDC. When talking about an RODC, the risk is smaller because less passwords are assumed to be stored on the RODCs (unless you have allowed all accounts to be cached, which is not recommended).
    A protection against physical access is the usage of disk encryption, such as bitlocker
    Cheers,
    Jorge

  3. tomek said

    @iPath … the answer is … use encryption like BitLocker. Of course to protect against such scenario in which someone has physical access to device it will have to be BL with PIN at least which might be a bit pain to mange (reboots etc.) but if You look for solution – this is one.

  4. […] a previous post I explained which type of accounts can be used to log on to a DC. For W2K8(R2) RWDCs/RODCs you can […]

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

 
%d bloggers like this: