It rather involved being on the other side of this airtight hatchway: Surreptitious file access by administrator

A security report was received that went something like this:

A user can bypass file sharing locks by opening a read-only handle to the physical volume containing the file in question. This allows the user to extract the contents of protected files by reading the corresponding sectors directly from the disk. Since this operation requires administrator access, any user with administrator access can extract data from files that are normally inaccessible due to file locks, such as the SAM database.

Yes, that's right. An attacker who gains administrator privileges can extract data from any file on the computer.

But so what? The attacker is already on the other side of the airtight hatchway. They already pwn your machine. That a pwned machine can be pwned is not really all that surprising.

That some files are not accessible due to file locks is not a security measure. It is a consequence of, um, file access.

Besides, once you gain administrator access, a much easier way to steal the SAM is to merely grab a backup copy.

What, you can't find a backup copy?

No problem.

After all, you're the administrator. One of your job responsibilities is to maintain regular system backups.

So create a backup of the SAM file. Of course the system will let you do this. It is your job after all.

For example, you can use the Volume Shadow Service to create a volume snapshot, then mount the snapshot and extract the SAM file.

Bingo, instant copy of the SAM database.

Just doing your job.

Comments (43)
  1. Antonio 'Grijan' says:

    This article could be filed under "I couldn't believe I had to write this". I have found computer security is so common sense that I can explain most security issues to my mom, who doesn't even own a computer (simplifying the words, of course).

  2. Joshua says:

    Did you see the one about yanking user passwords from the LSASS memory dump?

  3. Paul Z says:

    I always love these "airtight hatchway" articles. You can tell Raymond is struggling not to respond to these people by exclaiming incredulously: "Did you even READ this security report before submitting it? Do you have ANY IDEA how computer security works?!?" I feel like any security report that starts with "After gaining administrator access" has already failed to be useful.

  4. Pietro Gagliardi (andlabs) says:

    I don't know about you, but to me, this report sounds like "the administrator should not be allowed to bypass file locks/open the raw disk/etc." and not strictly a privilege escalation issue. However, Raymond's statement about file locks not being for security is the response to this, as well as a statement about how the administrator of a computer /should/ be able to access anything to do their job… Yes, there are matters of ethics at play (which is where I think this report is coming from), but I doubt this is something that can be solved on the software side. Just a hunch.

  5. Jimmy Queue says:

    And you didn't respond asking the user to confirm their email address, password and mothers maiden name?

  6. Dave says:

    Let's call this one the "Edward Snowden conundrum."

  7. Sockatume says:

    If you're having security problems because "any user with administrator access" can do a certain thing, I do have to wonder if you have given too many people administrator access.

  8. Xv8 says:

    And people compain that Windows "dumbs down" things for administrators and doesn't give them complete power over their computer.

    No, windows just stops you doing "rm -rf SomeUnimportantDir /" ((note the space)). It doesn't stop you doing "dd if=/dev/zero of=/dev/sda bs=4096"

  9. Joshua says:

    @Xv8: Have you tried it? Writing to the physical disk is now blocked where there is an active NTFS filesystem.

  10. Oliver says:

    A while ago a scary looking Matrix-style video was released showing how you can gain SYSTEM privileges using the at command (this was before Vista/7, now you have to use psexec). That you already had to be Administrator to do it didn't dampen the hype. It's odd that people consider Administrators having complete access to be a security breach.

    Although as Xv8 and Joshua have alluded to, an advantage Windows does have over Unix is that it prevents you from completely trashing your computer in one go even if you're admin. There's no rm -rf /, and particularly with things like the TrustedInstaller account Windows has IMO a much better protection of the underlying system than Unix does (which lets root wipe the lot, no prompts, with a single mistake). Administrators can always change things to do what they want, but Windows gives them extra hoops to jump through. Those hoops do stop errors becoming catastrophes.

  11. alegr1 says:

    Is an unprivileged user still able to open any system file with all sharing disabled (0), thus blocking the OS from opening those when necessary?

  12. Justus says:

    someone will file a security report that says 'after gaining administrator rights I have administrator rights'

  13. me says:

    As I am not a native speaker, I have problems parsing the introdutory part of the title of these series:

    "It rather involved being on the other side of this airtight hatchway"

    What does "it rather involved" actually mean? Yes, I know, it is from "The hitchhikers guide to the galaxy", but I did not read it in English, either.

    Can anyone help a helpless non-native speaker?

  14. Joshua says:

    The HHGG reference completely replaces the normal parse of "It rather involved" (should be it is somewhat associated with) with "It is due to"

  15. @me: It's the same as saying "It had to do with", "it involved", "as a result of", and so on.  It's a phrase used to express that what you're saying later is in consequence of the following.  In this case, Raymond is saying that there is no security breach as a consequence of the fact that you're "on the other side of this airtight hatchway", or simply "an administrator with full security rights".

  16. me says:

    @Joshua, @MNGoldenEagle: Thank you both for the explanation. Now I do not have to die dumb (sometime).

    [Arthur and Ford are trapped in an airlock. Ford has an idea on how to get out. "But unfortunately, it rather involved being on the other side of this airtight hatchway." In simpler terms, "Unfortunately, it required that I be on the other side of this airtight hatchway." The word "involved" here is a verb, not an adjective. -Raymond]
  17. Kirby FC says:

    "It rather involved being on the other side of this airtight hatchway"

    I have never understood this practice many people have of injecting the word 'rather' into places where it is not necessary.  You could simply say "It involved being on the other side of this airtight hatchway".  The word 'rather' adds nothing of value.

    [It's not funny without the word "rather". The word "rather" carries no literal meaning, but it softens the sentence, as if to say "Oopsie." Classic British understatement, that needing to be on the other side of the airtight hatchway is a minor obstacle. -Raymond]
  18. Mark VY says:

    @Kirby FC: Well, in the original story I think it adds a bit of a comic effect.

  19. me says:

    @Raymond: Thanks. Indeed, it is a parse error, because "involved" looked like an adjective. I always wanted to add an "is" somewhere, but this did not parse, either.

    I did not even know "involve" exists as a verb.

    @Kirby FC: I think at least in this case, it is a stylistic element. Unfortunately, in my case, it made the text more interesting because I did not understand it.

  20. John Doe says:

    "Rather" can have several meanings:

    – "it rather be good" => "it ought to be good"

    – "it was rather funny" => "it was midly funny"

    – "I found it rather funny" => "I found it more funny than not"

    – "I'd rather not" => "I'd prefer not to"

    – "my car, or rather my work car" => "my car, actually my work car"

    – "it's not raining, rather it's a shiny day" => "it's not raining, on the contrary, it's a shiny day"

    These examples rather have "rather" to make some sense.  "Indeed," on the other hand, is indeed rather useless.

  21. j b says:

    I treat everything I store at my job computer as fully available to my supervisor and everybody above him in the administrative hierarchy, as well as to all the IT management guys.

    I treat everything at my home computer as fully available to the police, NSA and MS – not necessarily online, but they might seize my home computer any time. (With regard to NSA: I do not live in tne USA, I am not an American citizen, yet I include NSA in the list. Go figure.)

    Consequently, anything sensitive is encrypted by independent keys that are not stored on the computer. To access the information requires information that is not known to the OS. My login credentials are known to the OS: Under Windows XP I had a utility that returned my login password in cleartext any time I was logged in; Windows 7 will not reveal this info, but even under XP, people were claiming that everything about Windows encryption was perfectly safe because Windows didn't keep my password after completing the login, only a one-way-hash that was subsequently used to obtain the stored key for my encrypted files. Well… That reminds me of "Reflections on truting trust". This utility did indeed prove that XP knew my cleartext password all the time. Win7 won't admit that it does, so maybe it doesn't. Maybe it is technically impossible to decrypt my private files, even if the computer is booted up with an NSA version of Windows. But Windows knows what it takes to prove that I am the one I am, to give me access to my "encrypted" files; it doesn't require something Windows _doesn't_ know. Maybe I am paranoid, but I elect not to trust Windows, NSA version, not to tell that same secret to those who (claim to be) searching for terrorists. I elect to encrypt my information using keys I can be reasonably sure that Windows is not familiar with.

    (By the way: The Kerberos protocol and implementation is so well documented that I trust it to a high degree. I have been searching for documentation of the Windows file encryption at the same level, without success – and when I a few years ago I found this little utility showing that Windows indeed keeps cleartext password and not only a oneway hash of it, then there was not much use in searching further. If all you have to reveal to Windows to decrypt your files is something known already to Windows, then the enctypted files are almost by definition openly avaliable to the forensiccs guy in NSA and the various police forces.)

  22. Keith P says:

    I had someone from MS actually help me extract and send in my SAM file several years back. I had run into a Win7 issue where you could lock yourself out of the system due to a weird interaction between UAC and the Xbox MCE user account. Anyway, it was pretty neat, as the guy took my SAM and somehow got it to let me enter my credentials and then walked me through restoring it back on the system. All done as an admin, of course :)

  23. Kirby FC says:

    Mark VY " Well, in the original story I think it adds a bit of a comic effect."

    I find it no more or less funny with it or without it.  I guess that's why Douglas Adams is a famous write and I am not.

  24. cheong00 says:

    @Pietro Gagliardi (andlabs): So you accessed the disk bypassing the NTFS driver that maintains the lock, and then you think NTFS driver should somehow able to block access that don't pass through it?

    It's the same as you use nail and wood planks to block the main door and wishes house owner who have the key can't go into your home through the door at the back side of the house.

  25. smf says:

    rather does have a meaning, in modern slang you'd probably use.

    "But unfortunately, it kinda involved being on the other side of this airtight hatchway."

    kinda being slang for kind of.

    kind of

    phrase of kind



    rather; to some extent.

    "it got kind of cosy"

    synonyms: rather, quite, fairly, moderately, somewhat, a little, slightly, a shade; More

  26. smf says:

    It's about time that gaining administrator access didn't let you get round all the security controls. The solution is to restrict access to administrator and create a reallytrustedadministrator account instead. The reallytrustedadministrator would only be accessible to people who could be trusted.

  27. Neil says:

    TrustedInstaller actually got in my way when a power failure corrupted one of the .NET Framework files. Various repair options didn't help, so I ended up rebooting into system recovery mode so I could replace it with a good version.

  28. mb says:

    @acq: I don't think that's the meaning of "rather" that's intended here.

    It's very much a Britishism to use "rather" — in the meaning of "to an appreciable extent" — as an understatement for "very". "It must have been rather unpleasant capsizing in that tropical storm."

    What Ford is saying — understatedly — is "Unfortunately, a critically important part of my plan was being on the other side of this airtight hatchway."

    Compare this also with the (definitely dated) Britishism of using "rather" (stressed on the second syllable) to express agreement. As in "I say, this sherry is jolly good, don't you think?" "Ra-THA!"

    (Oh, and I agree — it's definitely not funny without the "rather".)

  29. Dave T says:

    @j b You do see the flaw in your security don't you?  Once you enter the information that is "unknown to the OS" to encrypt/decrypt your files, that information is now known to the OS because KEYBOARD. It can elect to save that information in some dark corner of the file system for when the Men in Black show up.  Also, I believe there is precedent already in law that the authorities can compel you to provide those decryption keys to them.  Sure, you can say you "forgot" or "lost" them, but then you sit in jail.

  30. Richard Cox says:

    @acq et al, the delivery rather[1] makes a difference. It works rather better on the original version – the radio series, Fit The Second – where Geoffrey McGivern says the line without any particular emphasis.

    (In my considered opinion, the radio series is far better than all other versions. For a start the special visual effects are far better.)

    [1] I am indeed British, thus, in context, I feel I need to use this word.

  31. j b says:

    @Dave T,

    I thought my post was long enough, so I left out a discussion of that issue :-)

    Yes, you sure are right – if the OS knows that my keyboard presses is the encryption key. If it was aware of every encryption program in the world, including those I write myself, and how it registers the key, it could. Otherwise, it would have to resort to storing all my key presses regardless of program, and assume that any subset of them are the key for some arbitrary encryption program using some arbitrary encryption method. This is of course possible to do, but not very likely.

    I do keep an eye on the file space used, in particular on my system disk (all documents and other files are located on other disks), and I do open the Network Connections Control Panel applet as soon as I log in, so I can keep the connection disabled whenever I work on sensitive data (in case there was a keylogger passing the keystrokes to an offsite location). Of course: Trusting that "disabled" means that nothing is sent, not even data from NSA injected keyloggers, is a matter of trust. But I think my paranoia level is sufficiently high when I trust the interface to be disabled when I request it. (I have chekced that the Task Manager also reports that the device is not active, 0 bytes exchanged; if the conspiracy covers that as well, they will probably get me anyhow.)

    I do have an encryption chip on an old PATA cable, using a separate key dongle that must be present at boot up but can then be removed from the machine and hidden. Unfortunately (from this point of view), my current main PC doesn't support PATA, but if real paranoia strikes me, I might set up that old machine with PATA support as a file server for extra sensitive data.

    By the way: The encryption I use the most allows multi-word keys (i.e. space in the key string); that serves to confuse key loggers listening for possible encryption keys. And of course every key contains non-ASCII characters, like the language specific æ, ø, å. It isn't that long since I saw "brute force" :-) code that assumed any key contained nothing but A-Za-z, numerics and a selection of punctuation signs! Dictionary attacks rarely use dictionaries containing misspelled words in all the world's languages. And most bruteforce/dictionary attacks rely on recognizing the correct key by recognizing meaningful information in the result. Double encryption (using methods that do not leave any easily recognizable tag on the encrypted file) makes it a lot more difficult to identify success in the outer level encryption.

    I believe that in Norway, you can NOT by law be forced to reveal any encyption keys, that is considered self-incrimination. Actually, I thought US law similar, but I guess that nine eleven has forced US to cancel the fifth amendment.

    [Don't travel to the UK. Police are permitted to put you in jail for up to five years for refusing to decrypt something they believe is encrypted (even if it isn't actually encrypted). I believe that the five-year detention is renewable upon reapplication to a judge but I cannot find a citation. -Raymond]
  32. acq says:

    For the non-native speakers, there is actually an exact directory subentry for this particular use:…/rather

    "4:  to the contrary :  instead <was no better but rather grew worse — Mark 5:26 (Revised Standard Version)>"

    Now the dialog from the book is (Steve Kemp quoted it in 2007 in…/4268706.aspx):

       (Arthur:) "Well didn't you think of anything? I thought you said you were going to think of something. Perhaps you thought of something and didn't notice."

       "Oh yes, I thought of something," panted Ford. Arthur looked up expectantly.

       "But unfortunately," continued Ford, "it rather (*) involved being on the other side of this airtight hatchway." He kicked the hatch they'd just been through.

    *) So that "rather" there is the shortest (as Raymond would say "Classic British understatement") expression of the thought "it, INSTEAD of what could actually help us in this moment, involved being on the other side of this airtight hatchway."

    Without it, it's not funny.

  33. smf says:

    and also don't carry garden tools in the US…/160528-salinas-cop-fatal-shooting (you could be arrested in the UK for carrying an offensive weapon if you had no reason to be carrying them but you wouldn't be shot)

  34. smf says:

    "[Don't travel to the UK. Police are permitted to put you in jail for up to five years for refusing to decrypt something they believe is encrypted (even if it isn't actually encrypted). I believe that the five-year detention is renewable upon reapplication to a judge but I cannot find a citation. -Raymond]"


    Our police have better things to do than to randomly decide that people have encrypted documents in their holiday photographs, they also have to be able to justify why they believe it. In the US the police shoot people. I'll take my chances in the UK.

    "  "But unfortunately," continued Ford, "it rather (*) involved being on the other side of this airtight hatchway." He kicked the hatch they'd just been through.

    *) So that "rather" there is the shortest (as Raymond would say "Classic British understatement") expression of the thought "it, INSTEAD of what could actually help us in this moment, involved being on the other side of this airtight hatchway."

    Without it, it's not funny."

    @acq No you've missed the point

    Without "rather" the plan is to be on the other side of the airtight hatchway.

    With "rather" the plan is undisclosed but for it to work you would need to be on the other side of the airtight hatchway.

    The former is sillier, the later is more subtle. The use of the word involved is much more interesting.

    [I never claimed that the US was better. My point is that if your goal is to secure your data from authorities, then at least in the UK, the authorities have completely legal ways of compelling you to decrypt your data. If your goal is to avoid being shot by the police, then UK is probably a better bet than the US, but that wasn't the stated goal. -Raymond]
  35. Joshua says:

    If using a headerless encryption scheme, it might be viable to tell the cops and the judge it's not encrypted but rather it's a one time pad. This is more believable if they find a file containing a single integer in the range of a few tens of millions. In the US at least claiming the fifth to avoid disclosing the other party would be valid in all cases.

    If pressed, a further claim could be made that the pad was generated by encrypting an empty drive with "password" that came from banging on the keyboard. Yes this is bad crypto practice.

    [And the police can say, "I don't believe you," and you are still in jail. -Raymond]
  36. j b says:

    Even if an encryption scheme does leave a recognizable header, it can easily be masked by nothing more complicated than an xor of the file, or possibly only the first file page. If you use, say, the first 16 octets of the second disk page (after encryption) as an xor key for the first page, the masking will differ from file to file, so an intruder won't recognize any pattern to reveal the header xor masking.

  37. Neyah says:

    @j b, you probably also want to avoid using USB keyboards or hard drives as well then.…/9919504.aspx

  38. dirk gently says:

    I am now reading HHGttG again, but for the first time in the original English version, and I was stunned to find out that the "airtight hatchway" series of articles takes it's name from this book. I always thought this is something Raymond made up.

    [Pah. I dream of being even half as clever as Douglas Adams. -Raymond]
  39. John Doe says:

    There's the presumption of innocence (…/Presumption_of_innocence ) as a human right (…/Universal_Declaration_of_Human_Rights ), where "they" care about them, Of Course™.

    Cop: "I don't believe you [you're lying]."

    John Doe: "That's your problem, not mine [prove it]."

    <either you're free to go, or you go to jail, go directly to jail like those film characters that get Busted In <SpookyCountry>stan™ for nothing; do not pass go, do not collect $200>

  40. Joker_vD says:

    What most people seem to not realise about "presumption of innocence" is that it applies only when you're charged with criminal offense.

  41. j b says:

    Do they then have the rights to demand access to your private files?

    Can they state: "Yes, we ARE going to bring charges against you, but not yet! First we need to force you to open up every evidence against yourself, and you cannot refuse, because we haven't yet brought charges against you, but as soon as you have given us all the information that we want, THEN we will bring charges against you, based on the evidence you have produced yourself!"

    Is that how it works?

  42. Myria says:

    By the way, this is *not* true for write access.  Raw write access to a mounted volume is blocked as a measure to prevent bypassing kernel driver signing.  An attack against driver signing was to force the kernel to page out pageable parts of drivers and itself by exhausting physical memory, then using a raw drive handle to overwrite the pagefile with unsigned code and forcing the paged code to reload.  This attack was discovered around the same time during the Vista beta period independently by me and by Joanna Rutkowska; she publicly disclosed it and the attack was blocked by the time Vista was released.

    Yes, Microsoft already thought of using IOCTL_ATA_PASS_THROUGH and IOCTL_SCSI_PASS_THROUGH – there is a list of SCSI and ATA commands in the storage stack against which the destination LBA is checked for being in the range of a mounted volume.

Comments are closed.