We published a how to guide video on resetting a Windows Server 2012 R2 Administrator password remotely using IPMI. If you have ever had a Windows Server machine where you could not access the machine due to a lost password, this is the way to recover the system without resorting to a 3rd party password reset tool that can potentially be plagued with malware.
Recently we had a test running on a 24 drive SSD system in the STH lab. This is a system that will be available on the public DemoEval program after Flash Memory Summit with 24 new SSDs. The Administrator password for the Windows installation was lost, and the IOmeter logs inaccessible.
It is extremely important that you reset the Administrator password AND replace the sethc.exe after completing the swap. Otherwise, someone with IPMI access to the machine could gain Administrator access.
Here are the steps:
- Over IPMI, mount a Windows Server 2102 R2 installation disk (this can be found on Microsoft Technet Evaluation Center)
- Reboot the server
- Select Boot from CD/DVD media and start the Windows Server boot process
- Select a language then Repair your computer -> Troubleshoot -> Command Prompt
- Locate the Windows installation drive (C, D or others depending on installation type)
- Copy the sethc.exe to a backup location
- Replace sethc.exe with cmd.exe
- Reboot the server
- At the login screen, hit the SHIFT key five times (you can use the virtual keyboard for this)
- Use the following command (replace <password> with a temporary password) to reset the Administrator password:
net user Administrator <password>
- Login using the temporary password
- Reset the password from the Windows Server environment
- Replace the sethc.exe with the backed-up version.
Key commands for steps 6 and 7 (the d:\ may be c:\ or something else based on your step 5 determination):
copy d:\windows\system32\sethc.exe d:\windows\system32\sethc-old.exe
copy d:\windows\system32\cmd.exe d:\windows\system32\sethc.exe
Key commands for step 13:
copy c:\windows\system32\sethc-old.exe c:\windows\system32\sethc.exe
This is all you need to get back into a Windows Server 2012 R2 system you have IPMI access to.
Even if you never have to recover a lost Windows Server Administrator password using this methodology, it should be eye-opening. Modern servers do include iKVM functionality with the ability to remotely mount ISO images. This entire operation can occur over a period of a few minutes and leaves the system vulnerable if the sethc.exe is not replaced. Our suggestion is to use a separate network or vlan for all IPMI interfaces.