Re: local admin passwords

From: Laura A. Robinson (larobins@bellatlantic.net)
Date: 08/06/02


From: "Laura A. Robinson" <larobins@bellatlantic.net>
To: <Fred.Langston@guardent.com>, <mgreene@mgreene.com>, <focus-ms@securityfocus.com>
Date: Tue, 6 Aug 2002 03:24:58 -0400

Or better yet, do all that and then lock out all the admin accounts via
passprop. They can then only be used for local logon, and these accounts
really shouldn't be used, anyway.

Laura
----- Original Message -----
From: <Fred.Langston@guardent.com>
To: <mgreene@mgreene.com>; <focus-ms@securityfocus.com>
Sent: Thursday, August 01, 2002 9:53 PM
Subject: RE: local admin passwords

> Ah yes, the local admin password conundrum. There is no totally secure
> method to change local admin passwords as they all need the "net user"
> command which will change them with clear test over the wire. Other than
> that 'small' problem, you can use one of many commercial tools available
or
> just write a script to do it. I would recommend against using the same
> password on all systems as they will need to be changed every time someone
> leaves the org. Use an encrypted database with a app/web front end that
> scripts the whole operation. Only give out passwords on an as needed
basis,
> then script in a change after, say 24 hours, to set it to some complex,
> preferably 15 character password (not L0pht-crackable). Also, enforce
> password policy elements like 45 day changes. Remember to keep a couple
old
> passwords in the database history for users that may be logging in with
> cached credentials and cannot connect to the network for an extended
period.
>
> Of course, a Linux boot disk negates all this work, but this is the best
> I've come up with for an enterprise local admin password solution. Good
> luck!
>
> Fred Langston
> Principal Consultant
> W: 206.903.8147 x223 F: 206.903.1862 M: 425.765.3330
> Seattle, WA www.guardent.com
> ________________________________________
> G U A R D E N T
> Enterprise Security and Privacy Programs
>
>
>
> -----Original Message-----
> From: Michael G. Greene [mailto:mgreene@mgreene.com]
> Sent: Thursday, August 01, 2002 9:16 AM
> To: focus-ms@securityfocus.com
> Subject: local admin passwords
>
>
> Hello everyone. Well, I have given up resolving this issue on my own
> and am seeking the minds of experts. Is there a SECURE, enterprise
> method of regularly changing local admin passwords? By enterprise
> method I mean to change the local admin password, on a regularly
> scheduled interval, for every server and workstation machine, with a
> scope capable of dealing with 1000+ machines. Of course, the passwords
> should each change to a common string.
>
>
>
> Thanks
>
> Michael
>



Relevant Pages

  • local admin passwords
    ... Is there a SECURE, enterprise ... method of regularly changing local admin passwords? ...
    (Focus-Microsoft)
  • Re: local admin passwords
    ... done with Administrator accounts: ... Subject: local admin passwords ... >> just write a script to do it. ... >> I've come up with for an enterprise local admin password solution. ...
    (Focus-Microsoft)
  • RE: local admin passwords
    ... light solution: Using Cusrmgr.exe to Change Passwords on Multiple Computers ... Subject: local admin passwords ... Is there a SECURE, enterprise ...
    (Focus-Microsoft)
  • RE: local admin passwords
    ... Subject: local admin passwords ... Is there a SECURE, enterprise ... scheduled interval, for every server and workstation machine, with a ...
    (Focus-Microsoft)
  • Re: File Encryption
    ... change the local admin passwords on. ... script sent along as clear text if I can avoid it. ... from reading the script) or allowing only Domain Computers Read Only access? ... >> of all workstations with some encrypted file. ...
    (microsoft.public.sms.admin)