Re: disclosure the administrative password

From: Mike Groh (lists_at_mikegroh.net)
Date: 02/08/05

  • Next message: Vedran Matica: "RE: active directory password policy" 
    Date: Mon, 07 Feb 2005 21:46:13 -0800
To: focus-ms@securityfocus.com

    The workstation admin idea sounds good to me. I want to do it in my
    network. Is there a way to easily push this policy to the workstations.
    Win2k3 server (AD) and XP workstations? I'm assuming it would involve
    GPO but I have very little experience with it.

    Thank You,

    -Mike

    d.pigna@email.it wrote:

    > Hi Boris
    >
    > What about something like:
    >
    > 1) Create a WorkstationAdmin who has admin privileges on workstations
    > (local admin), and NOT on servers, active directory, network folders,
    > etc...
    > This will ensure, if the password is compromised, that only your
    > workstations will be at risk.
    >
    > 2) If you have several OUs and several Local
    > Administrators/Supervisors, create different WorkstationAdmins.
    > Again: the lowest number of machines compromised in case someone will
    > get this password.
    >
    > 3) Change this password(s) EVERY DAY. Or every hour.
    >
    >
    > A question from my side, now.
    >
    > How many times these operations are performed every day???
    >
    > Everyday operations have to be easy and fast. In this case, I suggest
    > you to give your Supervisors a wide range of "freedom".
    > Otherwise you'll get a call everytime a normal maintenance operation
    > is performed on a remote, lonely and unuseful machine (something you
    > don't want to happen).
    > It's better to have 5 workstations compromised every year - that need
    > to be reinstalled - than 50 calls every day.
    >
    > How many workstations/LocalAdmins do you have???
    >
    > Is there a REAL security risk in your environment? Who can be really
    > dangerous for you? If you're at risk, and you have to protect sensible
    > information, you'll need to give up on usability, and go for the
    > security (i.e. change LocalAdmins passwords everyday).
    > If you don't have something really important to protect... c'mon, just
    > make LocalAdmin life easy.
    >
    > If you're managing 10.000 machines in a high school, what data are you
    > trying to protect on every single workstation? PPT files for the art
    > teacher and some stupid videos downloaded from students?? ;-)
    > Let them play, and mess up!
    >
    >
    > It could be nice to have a final report on this question...
    > Something that will put together all these suggestions and try to line
    > out a security model (from very weak to very strong) for different
    > security needs.
    >
    > Hope this helped.
    > Davide
    >
    >
    >
    > Boris Skoblo wrote:
    >
    >>
    >>>> Hi All,
    >>>>
    >>>> There is a usual situation: on normal users computers ( W2k and
    >>>> Winxp ) an administrator should perform an administrative actions
    >>>> (for example, with help RunAs) thus the administrative password is
    >>>> entered. Do exist a potential possibility that on the user's computer
    >>>> there is keylogger.
    >>>>
    >>>>
    >>>> What ways to perform administrative operations exist, thus not
    >>>> endangering disclosure the administrative password? There are some
    >>>> limitations:
    >>>>
    >>>> 1. usage of smarts-cards and others hardvare devices are not
    >>>> applicable .
    >>>>
    >>>> 2. performed operations cannot be delegated for various reasons
    >>>>
    >>>> 3. keylogger is custom designed and any of existing protective
    >>>> software yet does not find out it
    >>>>
    >>>> ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------
    >>>
    >>>
    >
    >
    >
    > ---------------------------------------------------------------------------
    >
    > ---------------------------------------------------------------------------
    >
    >
    >
    >

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Vedran Matica: "RE: active directory password policy"

    Relevant Pages

    • Re: spoolss overflow attempt: unknow threat or false alert ?
      ... - What planned changes have happened to the network in recent weeks? ... - Is there any odd network behaviour between workstations that are affected, ... Sûnnet Beskerming Pty. ... and was formed to develop and commercialise advanced Information Security research. ...
      (Incidents)
    • Re: New At Network Configuration
      ... workstaions connect via the admin computer to the network ... I am using MS Server 2003 R2 etc and so far have tried some very simple ... networks all using the same internal network. ... Now I would like to start a network where a group of workstations connect ...
      (microsoft.public.windows.server.networking)
    • Re: Locking down workstation
      ... The problem with that is that if you lock up all your workstations, ... They might need to do something accross the network and then find that they ... are unable to because of the security on the workstations. ... > Evaluating SSL VPNs' Consider NEOTERIS, chosen as leader by top analysts! ...
      (Security-Basics)
    • Re: How can I change the admin password of all our XP PCs on the doma
      ... You don't go to each workstation and check if that user changed the local admin password. ... If the box has a problem that means you can't use a domain admin account to logon, it is usually quicker to rebuild than troubleshoot. ... If you want to control the Local Administrators on the workstations, just disable the Local Administrator, and then use another GPO or Script that adds a existing security group in your AD as member of the local Administrators on the workstations. ...
      (microsoft.public.windows.server.active_directory)
    • Re: How can I change the admin password of all our XP PCs on the doma
      ... I believe that for a domain joined workstation, disable the local admin ... means you can't use a domain admin account to logon, ... If you want to control the Local Administrators on the workstations, ... the script against any PC? ...
      (microsoft.public.windows.server.active_directory)