Hello, I'm trying to configure auditing when someone runs a password dump utility such as PwDump (see attached link). We are running Windows Server 2008 R2. Any suggestions on what file I need to configure for auditing? http://www.foofus.net/~fizzgig/pwdump/ Thanks, TomTom Martin Email: tmartin@caa.com

I'm not sure about monitoring for a specific program, but you could probably use a Software Restriction Policy linked to the domain with a hash rule against any programs that you don't want to run in the domain...

You could probably use a Software Restriction Policy linked to the domain with a hash rule against any programs that you don't want to run in the domain... My company uses Symantec Antivirus Corp. Edition, I've seen it catch pwdump and quarantine it as a hacktool, this also might be an idea.

Great suggestion matrixx, but we are looking to take a different approach. We are looking to impliment auditing on the file PwDump accesses. Does anyone know what file PwDump accesses to get the hashes? We could then configure that file for auditing. Thanks, TomTom Martin Email: tmartin@caa.com

The password hashes are stored in the SAM database. The SAM database is a registry file. I'd imagine you could audit the registry file that pwdump accesses, but you'd probably be getting a lot of extra data since Windows accesses the same database to do local authentication. Make sure that you have LM hash storage disabled in your environment: How to prevent Windows from storing a LAN manager hash of your password in Active Directory and local SAM databases http://support.microsoft.com/kb/299656 NTLM hashes are still stored, and can be compromised using rainbow tables, but disabling the storage of LM hashes helps. To protect your NTLM hashes, you could use the syskey utility to encrypt your SAM database: How to use the SysKey utility to secure the Windows Security Accounts Manager database http://support.microsoft.com/kb/310105/en-us

If your interested in enabling auditing on the SAM database registry file, it's location is: HKLM\SAM A small note: The Registry Editor will not allow you to navigate through HKEY_LOCAL_MACHINE\SAM and HKEY_LOCAL_MACHINE\SECURITY hives. These hives are protected by the System Account and currently logged on user or member of Administrators Group do not have permissions to view them. To view the the registry entries under SAM or SECURITY hive, you need to run the Registry Editor under the security context of System Account. To run Registry Editor under the security context of System Account, use the following command with Psexec.exe: Psexec.exe –s –i regedit.exe Psexec.exe can be downloaded at the following URL: http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx . Reference: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/HowtobreakintoregistrytoexploreHKLMSAMandHKLMSECURITYkeys.html

If your interested in enabling auditing on the SAM database registry file, it's location is: HKLM\SAM You may also want to audit C:\Windows\System32\Config\SAM file as this could be a secondary target. A small note: The Registry Editor will not allow you to navigate through HKEY_LOCAL_MACHINE\SAM and HKEY_LOCAL_MACHINE\SECURITY hives. These hives are protected by the System Account and currently logged on user or member of Administrators Group do not have permissions to view them. To view the the registry entries under SAM or SECURITY hive, you need to run the Registry Editor under the security context of System Account. To run Registry Editor under the security context of System Account, use the following command with Psexec.exe: Psexec.exe –s –i regedit.exe Psexec.exe can be downloaded at the following URL: http://technet.microsoft.com/en-us/sysinternals/bb896649.aspx . Reference: http://www.windowsnetworking.com/kbase/WindowsTips/Windows2000/RegistryTips/RegistryTools/HowtobreakintoregistrytoexploreHKLMSAMandHKLMSECURITYkeys.html