Everyone knows that there are dozens of tools available for download on the Internet that can be used to crack Window's relatively weak password encryption. Given enough time, tools such as the infamous L0phtcrack will eventually crack any password, no matter how long or complex. But we also know that to use a tool like L0phtcrack, an attacker generally requires access to the account database. This means they either need to break into...
the Windows server through a network connection to access the file, or they would need physical access to the console (i.e. the keyboard and monitor).
So to protect this file, most administrators spend their days applying patches and various policies and safeguards to prevent unauthorized access via the network, and they use a screen saver password to lock the console. If possible, the server is rack-mounted in a locking cabinet, to prevent someone from walking off with those hot-swap hard disks that are so easy to remove.
However, after going to all this trouble, many administrators make two simple mistakes that leave them very vulnerable. The first is not securing physical access to the backup tapes. Practically anyone with a tape drive can restore from backup to their own hardware and have a complete copy of your server, including the SAM and all your users' files.
More common, but slightly less dangerous, is not securing physical access to the Emergency Repair Disk. These important disks are often left right next to the server for quick access in the event of a failure, but the disks also contain a copy of the SAM and can be used to brute force your passwords. Once an attacker has the administrator password, it's unlikely that any of your other network safeguards will protect your data.
Thomas Alexander Lancaster IV is a consultant and author with over ten years experience in the networking industry, focused on Internet infrastructure.