There are various offline attacks. Do you have auditing turned on so you can detect when a server has been turned off? Making it vulnerable to offline attacks. If you are not aware of it:

Without physical security, there can be no security.

If you have a resource which needs to be protected, the single most important protection is to restrict physical access.  

There are Linux boot disks that have DOS and NTFS filesystem drivers and software that will read the registry and rewrite the password hashes for any account including the Administrators. It is as simply as:

• shutdown or turnoff the PC
• put the book disk in the PC and reboot
• respond to the Linux prompts
  the highest barrier is understanding unix media descriptors
• select the account whose password hash needs to be rewritten & enter a new password
• reboot & access using the new password

This process requires physical access to the console and an available floppy drive.

The following site provides the downloadable boot disk image, image to disk utility, source code, and supporting documentation: Offline NT password utility. This version can disable syskey protect. They do note that turning off syskey under Windows 2000 damages the SAM and is not to be attempted except as a last resort to reinstallation. Watch for updates.

See Analysis of Alleged Vulnerability in Windows 2000 Syskey and the Encrypting File System for Microsoft's perspective.

I have seen the Linux boot disks fail primarily on scsi-based boxes when the boot disk did not have the proper scsi driver or when there was some problem detected in the scsi setup. I have also seen PCs where the Linux boot disk works but the SAM seems to be invisible to Linux (although its in its standard location and later access with NTFSDOS allows it to be copied).

What would raise barriers to these types of tools?

• Lock the PC up.
  Recognized requirement for servers. How many workstations are behind locked doors? Given what you have learned here, shouldn't at least a select set of workstations be secured? Say the officers, personnel, security personnel, ...
• Power on passwords.
  A decent barrier. There are physical hacks. Are the cases locked?
• Set BIOS to boot from HD and not from floppy
  Raises the barrier a little.
• Remove the floppy and lock the case - higher barrier. For a high security environment. Would this fly where you work?
• Apply Microsoft's syskey to encrypt the hashes. See atips92. Syskey stymies the freeware Linux offline attacks at this point in time. Some of the commercial products state they can reset the password even if Syskey has been applied.
• Encrypt the hard drive. There are commercial products to do this. NT2000 includes encryption as an NT feature similar to NT4's NT compression feature. None of the methods I am aware of at this time will work under NT2000, even without the encrypting file system feature.

Some of the Linux boot disk utility variants leave a footprint. The password is changed. Some include backup/restore features for the sam. With this feature, one could boot a Windows NT PC; backup the sam data; overwrite the pw; reboot; login using the compromised account and do mischief including sending inappropriate email or deleting bits and pieces here and there - darn those unreliable PCs; restore the sam and the owner's pw; since the attack was offline, unless the shutdowns are monitored, the episode is essentially invisible.

The automated nature of these tools makes this available to putzes, baby hackers, and the guy/gal in the office next door. It took me 5 minutes with a very simple search to find the utilities and procedures documented on this page. The security by ignorance barrier is incredibly low.

The level of expertise to take advantage of physical access does vary. These baby tools for NT should make one seriously consider how to improve server and workstation security. Server physical security is generally good except in departmentally distributed servers. Workstation security is a nonentity in all but the most paranoid shops. These tools should give one pause, a act to protect your officers and other PCs with highly sensitive data from hackers.

Sunbelt released NTAccess which can replace the administrator password of a Windows NT; Windows 2000 system with or without Active Directory; or XP. It can bypass syskey protection. NTAccess can replace the administrator password of a Windows XP, Windows NT or Windows 2000 system by rebooting the computer with a special set of boot disks or CD-ROM (XP only). This is useful if you forgot the administrator password and cannot access the Windows XP/2000/NT system.

AccessData are in the business of password recovery and sell toolkits which can reset the administrator password under Netware and NT as well as office and personal application products such as Word and Quicken. They provide technical support should things go awry. Given the consequences of problems, tech support can be worth every penny. They also have a set of freebies utilities.

The Passware Kit also offer a fairly extensive password recovery suite including NT and many applications fairly inexpensively. They have recently announced a version of their product to reset Administrator password, secure boot password or key disk if lost: Windows 2000 password product with the following features:

• 100% recovery rate
• Windows XP Home and Professional Editions are supported
• Windows 2000 Professional, Server and Advanced Server are supported
• Windows NT Workstation and Server 3.50, 3.51, 4.0 are supported
• Loads third party mass storage (SCSI, RAID, etc.) drivers when using Windows XP, 2000 or NT 4.0 setup disks
• All secure boot options are supported
• All Service Packs are supported

WInternals offer NTLockSmith to reset lost NT passwords. It only works in conjunction with NT Recover which is designed to recover data from damaged NT boxes. It sounds much like the Linux solution but uses NT Recover to get to the registry of the target NT box. I suggest you take a close look at their admin tools. Their product is Windows 2000 compatible.

Dieter Spaar's NTAccess uses boot disks to access the NT / Windows 2000 system and change the administrator password. It can turnoff Syskey protection at the cost of the loss of all passwords except the administrators account which it resets. My guess is that they achieve this by deleting the LSA SecureBoot value and replacing the Administrator's password hash. They are not breaking the encryption. Just are turning it off. See my Syskey tip for more information.

Many sites document a rather complex method of resetting the administrator's password. The method takes advantage of the fact that certain system services, such as the spooler, operate under the security context of the local system. By changing the file name of the spooler to another executable it is possible to launch an application with privilege to change password. There are several versions. They work. They are complex. They have the advantage that they do not appeal to hackers - take too long - too much danger of exposure. This technique has the disadvantage that there must be enough space to install another copy of NT. This method is documented : here, here, here, and many other locations.

Some take a much more direct approach. This is actually a method to escalate a user's account to admin level. If you have another account on the box, even though it is not admin, lets say account manager or backup account, you can log onto the system, rename spoolss.exe to spoolssbak.exe, rename usrmgr.exe to spoolss.exe, reboot. When you logon after reboot, User Manager will be running in the foreground running as localsystem. This gives you the ability to reset the admin password to whatever you want, or to create an new admin account for example. You need to logoff and back on using the administrator command to get the renamed files back under their proper names.
Note: for NT workstation, User Manager is musrmgr.exe.