Discover the significance of the Directory Services Restore Mode (DSRM) password, a critical but often overlooked element in Windows networks. This guide reveals the steps for a more secure DSRM environment, ensuring a robust Active Directory structure. Explore additional topics like Group Policy Object, Volume Shadow Copies, Remote Desktop Services, and Bulk Users in Active Directory using PowerShell.
In this guide, I will walk you through the process of updating the Services Restore Mode password. It will enhance security and ensure a more robust DSRM environment for your organization. For Windows Server domain controllers, “Services Restore Mode” (DSRM) serves as a safe mode boot option. You can also learn about Group Policy Object: How to create a Password Policy via GPO, Volume Shadow Copies: How to configure VSS on Windows Server, Remote Desktop Services: How to Remove and Manage Terminal Server licenses from an RDP client with PowerShell, and How to create Bulk Users in Active Directory using PowerShell.
An administrator can use DSRM to repair or recover an Active Directory database. During Active Directory installation, the wizard prompts for a DSRM password. When promoting a new Domain Controller, the DSRM password is set initially. This password grants database access for emergencies but not to the domain or services.
If you forget your DSRM password, you can change it with the command-line tool
NTDSUtil. I’ve worked in a number of Active Directory environments where the DSRM password for the Domain Controllers is not known or safely stored for future use. Please see how to create and delete a custom AD DS partition with the NTDSUTIL.EXE Tool on Windows Server.
Why Setting Password to Secure DSRM?
Unlike workstations and servers, Domain Controllers do not have a local administrator account. This means you cannot log on to them locally. If Active Directory fails on a Domain Controller, you may be unable to log on with your domain credentials. This could prevent you from repairing Active Directory.
Directory Services Restore Mode (DSRM) is a boot option for Domain Controllers. It allows you to log in even if Active Directory has failed. You will use the local administrator account. To log in, enter .\administrator as the username. The DSRM password is shown in the images below. This allows you to log in locally without having access to any domain.
Attackers could use the DSRM account to stay persistent and gain access to the organization’s Active Directory. Administrators typically set the DSRM password while promoting a Server to a Domain Controller as shown in the screenshot below and do not follow the recommendation to change its passwords on a regular basis.
Knowing this, attackers will attempt to create a permanent backdoor in order to establish a future connection. An attacker can change the password for the DSRM account by running the following command on each DC (or remotely against each DC by replacing
"null" with the DC name).
As shown above, when an attacker has obtained the DSRM password, he or she can use this account to log on to the DC as a local administrator over the network. The attacker can change the Windows registry using the local administrator password hash to log into the DC using Directory Services Restore Mode (DSRM) hashes without rebooting the server by confirming the
“DsrmAdminLogonBehavior” registry key value under
HKLM\System\CurrentControlSet\Control\Lsa and possibly create
REG_DWORD values as shown below:
- 0 – the default value – Can use the DSRM administrator account only if the DC starts in DSRM.
- 1 – Use the DSRM administrator account to log on if the local AD DS service is stopped.
- 2 – Always use the DSRM administrator account (This setting is not recommended because password policies do not apply to the DSRM administrator account).
Enhancing Domain Controller Security with Regular Password Updates
To ensure a more secure and robust Active Directory environment for your Domain Controller, you need to constantly update the DSRM administrative complex password. Please keep in mind that DSRM is not the same as Safe Mode. If Active Directory fails to start in Safe Mode, you will be unable to log on. Instead, use DSRM. As a Security administrator, you not only update the DSRM password regularly but also ensure the passwords are unique for every Domain Controller. Below, I’ll outline the steps to change the DSRM password:
Step 1 – Press Windows + Run to open the Run dialog box, type
ntdsutil, and then press the Enter Key.
Step 2 – At the
Ntdsutil command prompt, type
set dsrm password Still, at the DSRM command prompt, type one of the following lines
"reset password on server null"
The null variable assumes that the DSRM password is being reset on the local computer. Therefore, you must set a unique password and regularly update it. Type the new password when prompted. Note that no characters appear while you type the password.
Note: To reset the password on another server, type reset password on server <servername>, where servername is the DNS name of the server being reset. When prompted, enter the new password. It's worth noting that no characters appear as you type the password.
When done resetting the password for DSRM, type q or quit at the DSRM command prompt and type
quit also to exit
Ntdsutil command prompt as well.
I hope you found this blog post helpful. If you have any questions, please let me know in the comment session.