RE: local admin account password
From: Tyler Larson (sf-lists_at_tlarson.com)
Date: 11/26/03
- Previous message: shimi: "RE: local admin account password"
- In reply to: Mark Ribbans: "RE: local admin account password"
- Next in thread: Jimi Thompson: "Re: local admin account password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Wed, 26 Nov 2003 14:10:40 -0600 To: mark.ribbans@ctel.com.au
Another variation that works surprisingly well is to assign each machine a
unique password based on two obtainable values. One would be a secret key that
only authorized administrators would know, and the other being some computer-
specific value, such as the computer's network name (or better yet, something
like the box's stock number or some other string written on the box itself).
You can use a simple script to concatinate the two values, hash the result (MD5
or the like) and display the output in a human-readable format, like Base64.
It would be trivial to write an app to generate these passwords that would run
on Palm or PocketPC devices, or other workstations. That way, if an admin
needed to use the computer administrator password, he could just type in the
computer key and his secret password, and he'd get the administrator password
for that computer.
Note that this sort of system does not provide any more security than the
single-password paradigm from a social engineering point of view. All a
malicious user needs is the administrator secret password and the simple app,
and he can retrieve the admin password for any computer. On the other hand, it
does protect against most external attacks--if a user found out the admin
password for a single computer (L0phtCrack, etc.), that password could not be
used to comprimise other systems. Furthermore, no stored passwords would be
based on dictionary words, even if the administrator secret key is.
This paradigm often provides sufficient accessability to the local
administrator account to deny administative access to any network-based
accounts, increasing your security another notch. After all, a super-secret
local administrator account provides little additional security if you have a
domain user with administrative priviliges.
This paradigm works well for installations such as public access computer labs,
where administrative access is seldom required.
Quoting Mark Ribbans <mark.ribbans@ctel.com.au>:
>
> What i would do (and do do) is set up a password scheme as you suggested in
> option 3. Just keep the scheme\algorithm to yourself or your IT team.
>
> There are a number of ways you can get specific information regarding each
> specific PC, and you can then use part of this information as the password.
> Two good examples of this would be the CPU ID (if enabled in the BIOS -
> which you could then disable and then set a BIOS password too for added
> security?) and the MAC Address.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: shimi: "RE: local admin account password"
- In reply to: Mark Ribbans: "RE: local admin account password"
- Next in thread: Jimi Thompson: "Re: local admin account password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
