RE: local admin passwords

From: Fred.Langston@guardent.com
Date: 08/02/02


From: Fred.Langston@guardent.com
To: mgreene@mgreene.com, focus-ms@securityfocus.com
Date: Thu, 1 Aug 2002 21:53:02 -0400 

Ah yes, the local admin password conundrum. There is no totally secure
method to change local admin passwords as they all need the "net user"
command which will change them with clear test over the wire. Other than
that 'small' problem, you can use one of many commercial tools available or
just write a script to do it. I would recommend against using the same
password on all systems as they will need to be changed every time someone
leaves the org. Use an encrypted database with a app/web front end that
scripts the whole operation. Only give out passwords on an as needed basis,
then script in a change after, say 24 hours, to set it to some complex,
preferably 15 character password (not L0pht-crackable). Also, enforce
password policy elements like 45 day changes. Remember to keep a couple old
passwords in the database history for users that may be logging in with
cached credentials and cannot connect to the network for an extended period.

Of course, a Linux boot disk negates all this work, but this is the best
I've come up with for an enterprise local admin password solution. Good
luck!

Fred Langston
  Principal Consultant
  W: 206.903.8147 x223 F: 206.903.1862 M: 425.765.3330
  Seattle, WA www.guardent.com
________________________________________
G U A R D E N T
  Enterprise Security and Privacy Programs

-----Original Message-----
From: Michael G. Greene [mailto:mgreene@mgreene.com]
Sent: Thursday, August 01, 2002 9:16 AM
To: focus-ms@securityfocus.com
Subject: local admin passwords

Hello everyone. Well, I have given up resolving this issue on my own
and am seeking the minds of experts. Is there a SECURE, enterprise
method of regularly changing local admin passwords? By enterprise
method I mean to change the local admin password, on a regularly
scheduled interval, for every server and workstation machine, with a
scope capable of dealing with 1000+ machines. Of course, the passwords
should each change to a common string.

 

Thanks

Michael