Sep 13, 2007

Password Recovery Disk

Take preventive measures against losing user-level passwords.

It doesn't matter if you never again remember a Windows user password. Thanks to XP's Forgotten Password Wizard, your conscience will be free and clear -- should your mind happen to accidentally misplace your user password.

I highly suggest you create a password recovery disk the minute you create your user account. Why? In order to create a password recovery disk you're going to need your password. Write it down the minute you create your user account and then proceed to creating your very own password recovery disk.

Here's how to launch the Forgotten Password Wizard:

Single-click Start menu, Control Panel, and User Accounts.
Click your user account name.
Under Related Tasks on the left, click "Prevent forgotten password" to launch the wizard.

Now that you've launched the wizard, let it walk you through creating the recovery disk. Make sure the disk you use is formatted and in the drive. After it's finished creating the disk, label it and stash it away for an emergency.

If you happen to forget your password, all you need to do is click your user icon at the logon screen. Even though you don't have your password, go ahead and click the green arrow just like you would to finish logging on to your computer. This will launch a little yellow dialog box directing you to use your password recovery disk.

1 comment:

  1. Thank you for the tip! Yeah, that's a great solution. It does require require some knowledge. It's ironic, but sometimes it's just as hard to find as the PRD wizard. As an admin, I sometimes help my friends fix their PC issues. So I just found out that many home users don't even know about its existence. Mostly that's because the steps you have to perform to create the password reset disk differ depending on if your computer is a local one and is a member of a workgroup, or it’s a client workstation - a computer that is joined to a Windows domain. With domain systems this solution is a no-go because (and this is quoting Microsoft), "The Prevent a forgotten password button and the password recovery disk functionality are not available on computers that are joined to a domain." More specifically, you can access this wizard through the logon screen. But being a member of a domain you can only create a password reset disc for a passwords that are stored in your local Security Account Manager (SAM) database located on your local computer and hashed with LM (pre-2000 systems) and NT hashes (the latter is stronger). Thus, if you need stronger password security it's recommended that you enable the "Network security: Do not store LAN Manager hash value on next password change" security policy located in Computer Configuration|Windows Settings|Security Settings|Local Policies|Security Options within the group policy object. To create a password reset disc for the local user accounts when your computer is joined to a Windows domain, you can do the following:

    1. Press Ctrl+Alt+Delete to open the Windows Security dialog box
    2. In the Windows Security dialog box click the Change Password and then click the Backup button to start the Forgotten Password Wizard.
    3. Proceed with the wizard steps to create a password reset floppy disk.
    Once again, you will not see the Backup button in your Windows Security dialog box if you are logged with your domain credentials. It's also important to know that password reset disk is only effective if you've created it _before_ you've forgotten password. Once you forget your password you will NOT be able to create the password reset disk. And even with the password reset floppy, you will only be able to reset your local password!

    So, that's very important to understand - that it only works for the local systems. You will NOT see neither the Prevent a forgotten password in the User accounts dialog box nor the Backup button in the Windows Security dialog box if you are logged into the computer with your domain user account. That is once you've logged into a domain your lost passwords are no longer solely your own problem, but it's mostly your domain administrator problem. or like it was in our company it's both the administrator and the helpdesk support team problem. We used to redirect users' requests to our help desk making it heir headache. And that solution was mostly like laying the blame on the help desk guys. Yeah password reset is no longer as simple as exploit the the Local System SID functionality via a logon.scr process like we used it to do on Windows 2000 systems since the system now runs the "screensaver" under a less-privileged account which is the Local Service one. Then you could just net user USERNAME * /domain and you're done. But that's no longer the case. Sure you can still exploit the srvany functionality to drop your domain admin password account on Windows Server 2003 systems. But what has it to do with your users' domain account passwords? Nothing. However, I must say that's a pain when you need to build a long chain or persons responsible for resetting the password for a one single user. Not to mention the negative effect on your corporate security and productivity. The shorter the chain the more secure is the process. I heard some guys (not in our company) sometimes just did a practice where they set a standard password for such forgetful users sending them passwords as is on their password requests. Well, you known how it is from the security point. Effective but very dangerous.
    I see it like this all is because of overhead load put on the helpdesk team when they have to manage such minor problems like password reset. At the first look it doesn't take them longer then to click several buttons or just That can be easily implemented since that’s what the Reset Password Active Directory extended right allows you to do. All you need to do is in fact just set the ObjectType property for the object from the AccessControlEntry class with the GUID for the specified access right. And then they just could call the SetPassword method connecting to a user through the LDAP protocol by calling the GetObject method for a connection string. That looks as an easy solution but it DOES NOT work in the enterprise scale. At least it didn't work AT ALL in my environment. Bad scalability, hard-pressing help-desk load.

    I lately got my hands on Desktop Authority Password Self-Service . Yep, it's from Scriptlogic's Incident Management solution bundle. We needed an issue tracking system for our help desk software - it was too weak to handle the users' requests flow for the last year - and that's how I found that Scriptlogic's offering. I thought why not try it. I had no experience with such comprehensive solutions but to my utter surprise I cost me several minutes to deploy it once I scanned the guidelines. Nice that Scriptlogic provides shortened versions of docs. I just scanned the docs with my eyes and within a couple of minutes I knew what I had exactly to do to deploy the package. There I found that they also provide a robust password reset solution for password management and recovery. I know that's not a discovery of the century. There are several products providing so-called password self-service functionality and some of them worth looking. However what I liked in Scriptlogic's tool is the level of security they provide for the database where they store challenge questions/answers. Most of solutions that I've seen were providing only the MD5 hashing mechanisms to store the data. As you know, MD5 can be reverse engineered in minutes on a standard workstation buy using a smart brute-force attack against salted records. SHA-256 mechanism provided by this Scriptlogic's tool is WAY TO MUCH hard to attack and as far as I know it hasn't been broken yet. After all they are government standards according to Schneier. Moreover, I found out that I could even apply a AES-256 encryption to the storage. That's what I did right with the first setup. It's about a couple of weeks that I use it and it works VERY EFFECTIVE. I even made a little test for myself. I first implemented what I needed in the first place - that is I set up the help-desk service and enabled the automatic ticket tracking. Since were are pretty large company it didn't take long for me to start registering user password reset tickets. Then I started to deploy the password self-service for the first set of users in order to test if it will work for that OU. Nice that the client part can be installed when it's needed and there's no need to prepare a one single deployment campaign where you need to deploy something for the whole domain in order to let it work for a single user. Here I was very easy to implement. I could even deploy it for a single user like myself if I had the need to do that. So I just configured a set of challenge questions, a password policy, configured a strict security by forcing HTTPS and SSL and pushed the tool to my selected users. And what do you think. This is one of the first weeks since my career here when we don't have a single password incident here. I liked it so much that I even enabled it for myself. It's indeed very easy to configure and reset account password since everything I need to do that is the browser. Moreover the browser starts automatically when the user clicks a restore password button on the Windows Security login screen. The only thing each user has to do is to configure answers - challenge responses. Since the tool works through the web I've been able to notify my users about this option via a message with the URL to their private password configuration page. Nice thing. It's strong inside but very easy to configure from the outside! They key term for myself was that everything was clear to configure and still secure.