For the unprepared, losing an admin password can cause extensive disruption to work flow and even business processes -- not to mention the fact that it could be a potentially serious security problem. With that in mind, I'm going to explain the various approaches that can be taken when faced with this problem.
Words of warning
The methods described below are to be carried out at the administrator's risk. The products described below will often work on both Windows NT and Windows 2000, but you should read the product documentation to make sure the product will work in your environment.
Preventative maintenance
First, if you have not instituted the following basic policies for administrator password protection, then you should do so as soon as possible.
1. The administrator account should be renamed to something obscure.
2. No one in the IT department should be using the administrator account to carry out systems maintenance. This includes any scheduled tasks, which should run under an account with appropriate privileges.
3. Change the current administrator password and write the new one down without telling anyone what it is (if using Windows 2000, you may have a different password for Directory Services Restoration, which also needs to be kept safe); make a second hard copy; seal each in a separate envelope; and ask your boss to put one in the company safe and the other in an offsite safe.
4. Give requisite (granular) administrator privileges to any IT professional user account that needs them. Verify that group memberships are appropriate and don't conflict.
5. Forget about the administrator account until you have a real need for it, and if you can't remember the password, then you know where to find it (based on step three).
There are essentially two approaches to recovering passwords: cracking by brute force and resetting passwords. Various tools exist for both approaches. The brute force approach involves a dictionary attack against the security database. Resetting involves accessing a utility used to change passwords (e.g., User Manager in Windows) and resetting the administrator password to a known value.
Brute force
The best-known method for this approach is to use a program such as L0phtCrack. To use such a program, you first need to obtain a working copy of the SAM database, and to get this you need to use a boot disk of some flavour, possibly NTFSDOS from Winternals. Or, if you use a Linux disk, it must have NTFS file system drivers on it so that you can read and access any NTFS partitions. Once you've obtained the copy of the SAM database (usually at c:\winnt\system32), you can run it against the L0phtCrack application, which will grind away at password combinations until it gets a match.
The main attraction with this application is that it does not modify passwords and by extension does not modify the SAM database in any way, especially if you do the password cracking on a separate machine to the one you're trying to log on to.
The L0phtCrack application is currently at version 4 and is called LC4. L0phtCrack claims that within 48 hours, a Pentium II 300-MHz machine can crack 90 percent of passwords. As you can see, the application can also help an administrator verify password complexity by offering password-auditing options.
Resetting
If you're going to go to the trouble of getting to the SAM for a brute force attack, you may want to consider just resetting the admin password you've lost. It will probably be a lot quicker. Resetting a password actually changes the security database by resetting the password hashes for a given account. This may or may not be acceptable, depending on the security policies in force in a particular organisation.
7%
3%
