T 5.79 Unauthorised acquisition of administrator rights under Windows NT

An administrator account is created during every standard installation of Windows NT (this applies to Workstation and Server versions, as well as the domain controller). As opposed to user-configured accounts, this pre-defined account can neither be deleted nor disabled; this prevents administrators from being blocked intentionally or by mistake, thus ensuring administration on a continuous basis. One problem here is that the pre-defined administrator account cannot be disabled even if the maximum number of invalid passwords specified for a block in the account guidelines is exceeded. This allows passwords to be tested using cracking programs.

There are also other methods of obtaining a password assigned to an administrator account in order to gain administrator rights: if a computer is remotely administered under the Windows NT operating system, there is a danger of the login password being transmitted during authentication procedure, thus allowing an intruder to scan the password. Even if the system has been adjusted to ensure that login passwords are only transmitted in encrypted form, it is possible for intruders to record an encrypted password and decrypt it with the help of appropriate software.

Furthermore, every password is stored in encrypted form in the registry and in a file located in the directory%SystemRoot%\System32\Repair, as well as on emergency diskettes or tape backups. Intruders who are able to access this file could decode the required password with the help of appropriate software.

Finally, a special type of destructive software allows intruders logged locally into a Windows NT computer to add an arbitrary user account to the "Administrators" group and thus obtain administrator rights for the holder of this account.