Why DCPromo removes the passwords from your answer files after usage

One of the recommended practices for configuring Domain Controllers is to use an answer file to promote the server from a domain-joined server to a Domain Controller.

 

Benefits of using an answer file

The benefit is using an answer file is that the file can be reused for multiple promotions. This way, Domain Controllers are configured identically, throughout the enterprise. Additionally, disaster recovery of Domain Controllers is facilitated by allowing delegated admins to promote Domain Controllers in times when Enterprise Admins are burdened heavily (which is often the case in this scenario).

 

Drawbacks of using an answer file

The big drawback, obviously, is in the way admins work with answer files. When admins get sloppy, answer files containing passwords may be left on promoted Domain Controllers, in file exchange locations, in documentation file shares and in SharePoint document libraries. Obviously, passwords should not be documented in clear text; they should be stored in one or more password vaults.

This  best way to search for DCPromo answer files is with the following line of Windows PowerShell:

Get-ChildItem c:\ -Include *.txt,*.xml,*.config,*.conf,*.cfg,*.ini -File -Recurse -EA SilentlyContinue | Select-String -Pattern "SafeModeAdminPassword"

This line of Windows PowerShell looks for remnants from DCPromo answer files, which could potentially contain plaintext passwords. I recommend to run the above line of Windows PowerShell for every disk drive.

 

How DCPromo helps

Whenever you use dcpromo.exe, and specify an answer file, the tool clears the value for the SafeModeAdminPassword. This addresses the issue of lingering passwords for used answer files.

The SafeModeAdminPassword value is optional and can be used to specify the administrator password when the Domain Controller is in Directory Services Restore Mode (DSRM).

When SafeModeAdminPassword is not specified, the password must be typed in on the console. This defeats the purpose of reusability of the answer file and the predictability of Domain Controller promotion.

The password should be changed after successful promotion and should be unique on all Domain Controllers throughout the enterprise for optimal information security.

However, in testing answer files, dcpromo.exe’s behavior can be slightly annoying, as it would clear the value for SafeModeAdminPassword even when promotion is unsuccessful. It is however, a perfect method to see if an answer files has been used, or not.

 

Concluding

Scouring for passwords is one of the well-known privilege escalation techniques attackers use. dcpromo.exe helps by deleting values that may result in lingering passwords.

When you use Windows PowerShell to promote a Domain Controller, make sure the line of Windows PowerShell is correctly documented, when it includes passwords…

Further reading

New features in AD DS in Windows Server 2012, Part 2: New Promotion Process
Domain Controller promotion stops responding when NetBIOS over TCPIP is disabled
How to install a Server Core R2 Domain Controller
4 methods to add Server Core RODCs to your environment

leave your comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.