AW: Changing local admin PW using vb logon script - can it be encrypted?

Hi Tom,
3 possible options out of the mind:

- Use GPO setting for a default admin pwd => Hashed PW will be transmitted by applying the pw (not really save, but better than
cleartext)
- Use SMB-Signing for Client/Server requests/replies => secured transmission of logon events (cleartext, but secured in a signed
transport layer)
- Use IPSec for network traffic => best solution ever for secure transmission of IP-Traffic but most efforts for rollout & running
an enviroment

Hope it helped ;)

Andreas Habedank
----------------
HBDK.DE - IT-Security Management & Consulting - Ledersberg 3 - D-83727 Schliersee
Mile2.com CPTS Instructor / CEH / MCSE / RSA SecurID SE

-----Ursprüngliche Nachricht-----
Von: tth8@xxxxxxxxxxx [mailto:tth8@xxxxxxxxxxx]
Gesendet: Donnerstag, 1. Dezember 2005 18:03
An: focus-ms@xxxxxxxxxxxxxxxxx
Betreff: Changing local admin PW using vb logon script - can it be encrypted?

Hi all,

Long time lurker, first time poster. We have roughly 500 computers that we?d like to change the local admin passwords on. We
realize the security risks of having 1 password on all of our computers and are willing to assume that risk. We?ve developed a VB
script that we can implement as a logon script that works perfectly to change the password. We do not want this script sent along
as clear text if we can avoid it. Is there any way we can encrypt this script?

We?ve looked at options such as using Windows permissions to either deny Domain Users access (preventing anyone from reading the
script) or allowing only Domain Computers Read Only access?however I think that if you are logged into a local computer you should
be able to read the script. Not to mention, if you could capture the packets, you could easily find the script and its contents so
permissions would matter at all in that scenario.

Any help and/or insight is greatly appreciated.

Best,
?tom

---------------------------------------------------------------------------
---------------------------------------------------------------------------



---------------------------------------------------------------------------
---------------------------------------------------------------------------

Relevant Pages

  • Re: need to modify local group membership via VBscript
    ... Admin run the script on all NT computers. ... script can add domain groups to the local Administrators group. ... how to add a domain group to local administrators account: ...
    (microsoft.public.windows.server.scripting)
  • Re: need to modify local group membership via VBscript
    ... domain admin credentials in the script, then run the script through the ... script would have to use alternate credentials or a third part RunAs tool. ... ' Bind to local Administrators group on remote computer. ...
    (microsoft.public.windows.server.scripting)
  • Re: need to modify local group membership via VBscript
    ... Admin run the script on all NT computers. ... script can add domain groups to the local Administrators group. ... how to add a domain group to local administrators account: ...
    (microsoft.public.windows.server.scripting)
  • Re: Redirect computers to a specific OU by IP Address
    ... Getting theIPaddress of the workstation is easy if you are running the ... script from the workstation. ... COMPLETELY lock them down until an admin put them into the rightOU. ... used for approx 180-240 days (as there is over 1000 computer accounts ...
    (microsoft.public.windows.server.active_directory)
  • Re: SBS2003 Client Setup Wizard Problem
    ... I created a test user and logged in both computers one errored and one ... I checked the local admin group and domain users is not listed. ... On the problematic machines, I wonder if the Domain Users group ... any user logging into these machines can run the script (i.e, ...
    (microsoft.public.windows.server.sbs)