NT Gatekeeper: Finding Out Where NT Stores a Machine Account’s Credentials

In a recent discussion about Windows NT machine accounts and their credentials, someone asked me where the NT OS stores machine passwords. Can you tell me where NT stores machine credentials and how to view them?

NT stores the machine account password in a machine's Local Security Authority (LSA) database. Physically, the LSA database is a secured part of the system registry. The LSA is a protected OS kernel subsystem that plays a crucial role in authenticating and authorizing security principals. The LSA also enforces a machine's local security policy, including its auditing policy, memory quotas, and user logon rights and privileges. The LSA database contains all local system security information, including LSA secrets (i.e., LSA private data objects). NT stores the machine account's password as an LSA secret.

Three special types of LSA secrets are local, global, and machine secrets. You can read local secrets only on the machine that stores them. Only the OS can read machine secrets. Global LSA secrets are, indeed, global. When NT's security subsystem creates global secrets on domain controllers (DCs), the LSA automatically replicates them between all DCs in the domain.

Microsoft uses special naming conventions for these three types of secrets. A local secret name begins with an L$, a machine secret name with an M$ or an NL$, and a global secret name with a G$.

The machine account's password doesn't belong to any of the special categories listed above. The password isn't replicated between DCs, and you can access it locally or remotely. The machine account's password, $Machine.ACC, also doesn't follow the special types' naming conventions.

To look at the LSA secrets stored on an NT machine, you can use regedt32.exe or the lsadump2.exe command-line tool. Either method will reveal the LSA secrets' names and content in an encrypted format. Remember that LSA secrets are critical NT system data. After you obtain a listing, handle the listing with care and don't distribute it freely.

To use the registry editor to look at the LSA secrets, you must first change the permissions on the registry Security subkey and all its subkeys so that your account has full control access. The Security key is in the HKEY_LOCAL_MACHINE registry hive. Note that you should never change these permissions on a production system—always use a test system. Changing the permissions reveals a new list of registry subkeys, as Figure 2 shows. You can find the entry for the machine account ($MACHINE.ACC) in the HKEY_LOCAL_MACHINE\SECURITY\Policy registry subkey.

Lsadump2 is a freeware tool that you can download from BindView's Razor security team download page (http://razor.bindview.com/tools/desc/lsadump2_readme.html). Lsadump2 lets you look at a machine's LSA secrets from the command prompt, as Figure 3 shows. To run Lsadump2, your account must have debug privileges on the machine. By default, this privilege is given only to Administrator accounts. Again, don't run this tool on your production systems—use a test system.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish