Re: Changing local admin PW using vb logon script - can it be encrypted?



One should also note that any login script in sysvol is, by default, readable by all authenticated users. All anyone has to do is browse to \\domain.com\sysvol\domain.com\scripts and they can just open up the vbs file. Not a very good place to put "secret" information.

t

-----
"And yet, even if one person finds his way... that means
there is a Way.  Even if I personally fail to reach it."

Mr. Nobusuke Tagomi
Top Place, Ranking Imperial Trade Mission
Pacific States of America




----- Original Message ----- From: "Info" <Info@xxxxxxx>
To: <tth8@xxxxxxxxxxx>; <focus-ms@xxxxxxxxxxxxxxxxx>
Sent: Thursday, December 01, 2005 9:32 AM
Subject: AW: Changing local admin PW using vb logon script - can it be encrypted?



Hi Tom, 3 possible options out of the mind:

- Use GPO setting for a default admin pwd => Hashed PW will be transmitted by applying the pw (not really save, but better than
cleartext)
- Use SMB-Signing for Client/Server requests/replies => secured transmission of logon events (cleartext, but secured in a signed
transport layer)
- Use IPSec for network traffic => best solution ever for secure transmission of IP-Traffic but most efforts for rollout & running
an enviroment


Hope it helped ;)

Andreas Habedank
----------------
HBDK.DE - IT-Security Management & Consulting - Ledersberg 3 - D-83727 Schliersee
Mile2.com CPTS Instructor / CEH / MCSE / RSA SecurID SE


-----Ursprüngliche Nachricht-----
Von: tth8@xxxxxxxxxxx [mailto:tth8@xxxxxxxxxxx]
Gesendet: Donnerstag, 1. Dezember 2005 18:03
An: focus-ms@xxxxxxxxxxxxxxxxx
Betreff: Changing local admin PW using vb logon script - can it be encrypted?


Hi all,

Long time lurker, first time poster. We have roughly 500 computers that we'd like to change the local admin passwords on. We
realize the security risks of having 1 password on all of our computers and are willing to assume that risk. We've developed a VB
script that we can implement as a logon script that works perfectly to change the password. We do not want this script sent along
as clear text if we can avoid it. Is there any way we can encrypt this script?


We've looked at options such as using Windows permissions to either deny Domain Users access (preventing anyone from reading the
script) or allowing only Domain Computers Read Only access.however I think that if you are logged into a local computer you should
be able to read the script. Not to mention, if you could capture the packets, you could easily find the script and its contents so
permissions would matter at all in that scenario.


Any help and/or insight is greatly appreciated.

Best,
.tom

---------------------------------------------------------------------------
---------------------------------------------------------------------------



---------------------------------------------------------------------------
---------------------------------------------------------------------------




--------------------------------------------------------------------------- ---------------------------------------------------------------------------



Relevant Pages

  • Re: problem with giving domain users local admim rights
    ... This logon script would actually need to be a start up script. ... It would be less administration if users had admin rights. ... security group to the local admin group on the workstation. ...
    (microsoft.public.win2000.group_policy)
  • Re: Finding users in local admin groups
    ... > Here is a vbscript that you can run against a remote computer that moves ... > *local* users except 'Administrator) from the Administrators group to the ... You should also add to the script logging to a file of the ... > you moved on what computers. ...
    (microsoft.public.win2000.security)
  • Re: Group policy does not apply correctly .. please comment
    ... user policy to be different on some specific computers (e.g terminal servers ... You need to put the logon script into a separate GPO that is linked to ...
    (microsoft.public.windows.group_policy)
  • Re: Change local administrator password ? through GPO or push script ?
    ... I would like to change the local administrator password of every computers member of my AD domain but I am not sure of the best method. ... Create a vbs script that points to the local computer and then deploy this script by GPO. ... This attribute will permit to know wich admin password is configured for this machine. ...
    (microsoft.public.windows.server.active_directory)
  • Trouble with VBscript
    ... Hey - I wrote a logon script in vbs to log username, ... It is located in Active Directory Users and Computers, ...
    (microsoft.public.scripting.vbscript)