RE: Local admin password

• Next in thread: Jeff Gercken: "RE: Local admin password"
• Maybe reply: Jeff Gercken: "RE: Local admin password"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 1 Jul 2005 12:14:06 +0100

Check out the below link, it can be run via a scheduled task (VB Script) or from a excel front end, It will remove old comupter accounts and also reset the password to a random password with definable character limits and if symbols should be used in the password. It can also automatically enumarate computers in one domain or multiple domains.

http://www.windowsitpro.com/Windows/Articles/ArticleID/16292/pg/2/2.html

Regards
 
Dave Wells

-----Original Message-----
From: Jason Gregson [mailto:Jason.Gregson@easyi.com]
Sent: 30 June 2005 20:16
To: francois; Alexander Klimov
Cc: danoli@adinet.com.uy; focus-ms@securityfocus.com
Subject: RE: Local admin password

Hello all

I would tend to agree on this if we were talking about "Best practice" but we are not. You also need to consider the practicalities of different passwords for every workstation. Security is about compromise. Security vs. usability. The most secure PC on the network or internet is one that is unplugged and switched off (even then there could be compromised locally with a well known offline password reset - no hacking needed). But what good is a machine that is not connected to the network or internet if you need to surf. This is where the compromise starts. You have to make best efforts in securing it all and still allow users to complete the tasks they have been assigned.

So back to the point in question. Setting all the local machines to have the same local administrator password. If you are in a larger network, say 500+ plus, how on earth are you going to be able to manage all those passwords. Then you will have to reset all the passwords according to a password policy that you set - e.g. every 30 days. You would need a full time admin just to manage passwords. This would be a impractical use of security and resources, not to mention the cost, much the same as unplugging your machine from the internet after every time you close the browser, whilst this will stop hackers connecting to you machine, you will soon get fed up with unplugging and plugging in the network card.

The point is not being ignored, it's simply not practical to go down this route. If you then have to store all the passwords in a file (no matter how secret), there is a single point of failure again. So why bother trying to hack all 500 machines when all you have to do is hack the single file.

No system's security is infallible. You have to do enough to stay ahead of the game (what ever that may entail)

Having a really strong password in excess of 12 chars/no dictionary words/non printable characters and so on will also slow down brute force attacks.

There have been some excellent suggestions on this matter in the lists, most of which will suffice.

Well that's my two pence worth

Regards

Jason

-----Original Message-----
From: francois [mailto:francois.colombier@free.fr]
Sent: 30 June 2005 10:13
To: Alexander Klimov
Cc: danoli@adinet.com.uy; focus-ms@securityfocus.com
Subject: Re: Local admin password

Alexander Klimov a écrit :

>On Tue, 28 Jun 2005 danoli@adinet.com.uy wrote:
>
>
>>One of my customers asks me how to change the password of all local
>>administrators of Windows XP workstations. They don?t want to go to
>>each one and change it because they are quite a lot and they need to
>>put the same password to all. Is there any tool to do this?
>>
>>
>
>Everybody have a solution to the problem, yet nobody seems to think a
>step ahead :-)
>
>If you use the same password for all the local admin accounts, when
>anybody with physical access to one computer and john-the-ripper has
>immediate access to all of them!
>
>Whatever tool you use for setting passwords make sure that you set
>*different* passwords for different hosts.
>
>
>
It was exactly what i thought when i read this subject. However, if the password is strong enough (more than 8 characters, using
letters , figures and symboles) it could be very difficult to find it out. Of course, data could be store in a USB key and used in a huge and
powerfull computer in order to make the rip outside the company.

But, I agree with Alexander, the best is to follow the rule that says
that each host has to have its own password.
It doesn't mean that this can't be done automatically.
It's just somewhat more complicated, and you need to keep in secret a
file where the couples (host,password) are stored.

---------------------------------------------------------------------------
---------------------------------------------------------------------------

______________________________________________________________________________
This email was scanned for all viruses by our Security Systems on entering the Easy i network.
For more information on this scanning, please contact Easy i. ______________________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System. For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit http://www.messagelabs.com/email
______________________________________________________________________

---------------------------------------------------------------------------
---------------------------------------------------------------------------

• Next in thread: Jeff Gercken: "RE: Local admin password"
• Maybe reply: Jeff Gercken: "RE: Local admin password"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]