RE: Local admin password
From: Jason Gregson (Jason.Gregson_at_easyi.com)
Date: 06/30/05
- Previous message: francois: "Re: Local admin password"
- Maybe in reply to: danoli_at_adinet.com.uy: "Local admin password"
- Next in thread: test_at_test.com: "Re: RE: Local admin password"
- Maybe reply: test_at_test.com: "Re: RE: Local admin password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 30 Jun 2005 20:16:20 +0100 To: "francois" <francois.colombier@free.fr>, "Alexander Klimov" <alserkli@inbox.ru>
Hello all
I would tend to agree on this if we were talking about "Best practice" but we are not. You also need to consider the practicalities of different passwords for every workstation. Security is about compromise. Security vs. usability. The most secure PC on the network or internet is one that is unplugged and switched off (even then there could be compromised locally with a well known offline password reset - no hacking needed). But what good is a machine that is not connected to the network or internet if you need to surf. This is where the compromise starts. You have to make best efforts in securing it all and still allow users to complete the tasks they have been assigned.
So back to the point in question. Setting all the local machines to have the same local administrator password. If you are in a larger network, say 500+ plus, how on earth are you going to be able to manage all those passwords. Then you will have to reset all the passwords according to a password policy that you set - e.g. every 30 days. You would need a full time admin just to manage passwords. This would be a impractical use of security and resources, not to mention the cost, much the same as unplugging your machine from the internet after every time you close the browser, whilst this will stop hackers connecting to you machine, you will soon get fed up with unplugging and plugging in the network card.
The point is not being ignored, it's simply not practical to go down this route. If you then have to store all the passwords in a file (no matter how secret), there is a single point of failure again. So why bother trying to hack all 500 machines when all you have to do is hack the single file.
No system's security is infallible. You have to do enough to stay ahead of the game (what ever that may entail)
Having a really strong password in excess of 12 chars/no dictionary words/non printable characters and so on will also slow down brute force attacks.
There have been some excellent suggestions on this matter in the lists, most of which will suffice.
Well that's my two pence worth
Regards
Jason
-----Original Message-----
From: francois [mailto:francois.colombier@free.fr]
Sent: 30 June 2005 10:13
To: Alexander Klimov
Cc: danoli@adinet.com.uy; focus-ms@securityfocus.com
Subject: Re: Local admin password
Alexander Klimov a écrit :
>On Tue, 28 Jun 2005 danoli@adinet.com.uy wrote:
>
>
>>One of my customers asks me how to change the password of all local administrators
>>of Windows XP workstations. They don?t want to go to each one and change
>>it because they are quite a lot and they need to put the same password to
>>all. Is there any tool to do this?
>>
>>
>
>Everybody have a solution to the problem, yet nobody seems to think
>a step ahead :-)
>
>If you use the same password for all the local admin accounts, when
>anybody with physical access to one computer and john-the-ripper has
>immediate access to all of them!
>
>Whatever tool you use for setting passwords make sure that you set
>*different* passwords for different hosts.
>
>
>
It was exactly what i thought when i read this subject.
However, if the password is strong enough (more than 8 characters, using
letters , figures and symboles) it could be very difficult to find it out.
Of course, data could be store in a USB key and used in a huge and
powerfull computer in order to make the rip outside the company.
But, I agree with Alexander, the best is to follow the rule that says
that each host has to have its own password.
It doesn't mean that this can't be done automatically.
It's just somewhat more complicated, and you need to keep in secret a
file where the couples (host,password) are stored.
---------------------------------------------------------------------------
---------------------------------------------------------------------------
______________________________________________________________________________
This email was scanned for all viruses by our Security Systems on entering the Easy i network.
For more information on this scanning, please contact Easy i.
______________________________________________________________________________
- Previous message: francois: "Re: Local admin password"
- Maybe in reply to: danoli_at_adinet.com.uy: "Local admin password"
- Next in thread: test_at_test.com: "Re: RE: Local admin password"
- Maybe reply: test_at_test.com: "Re: RE: Local admin password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
