RE: Changing local admin PW using vb logon script - can it be encrypted?



> -----Original Message-----
> From: Jim Harrison (ISA) [mailto:Jim.Harrison@xxxxxxxxxxxxx]
> Sent: Monday, December 05, 2005 2:15 PM
> To: Thor (Hammer of God); Info; tth8@xxxxxxxxxxx;
> focus-ms@xxxxxxxxxxxxxxxxx
> Subject: RE: Changing local admin PW using vb logon script -
> can it be encrypted?
>
> True enough, but to quote a tall, hairy dewd I've worked with
> in front of a paying audience, "true security is a delicate
> balance between functionality and protection".
>
> Agreed - if your users are the least bit savvy, this trick
> will only buy you 5 minutes while they search for the script
> decoder, but if they're of the "where is the anykey?"
> variety, none of them will be any the wiser.
>
> Jim Harrison
> Security Platform Group (ISA SE)

I've been following this thread as I similarly want to change the local
admin password on multiple machines. I have to say I was a bit surprised
to see this kind of advice - maybe all the users where you work are
clueless, but I doubt that's the case in most organizations. And this
isn't just some relatively useless information, it's the local admin
account which I, as an intruder, would love to see "encoded" in a logon
script.

I missed the tall hairy "dewd" reference, and I agree that security must
always be balanced by usability, but surely something as valuable as
local admin ought to have more protection than that.

I would theorize (having not tried this yet) that setting a registry key
in Group Policy with the appropriate permissions and using a startup
script (runs as local machine, rather than current user, if memory
serves) instead of a logon script would be a fairly trivial way to
accomplish this task securely. Sure it takes 10 minutes longer to set up
but with the right permissions is far more secure and just as easy to
maintain.

Derick Anderson

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Relevant Pages

  • Re: Changing the local admin password base on the computers OU
    ... The intent is to put thsi script in a GPO that runs everytime the ... allowing us to cahnge local admin passwords pretty ... Your script appears to check for group membership. ... object and use the Parent method to retrieve the ADsPath of the parent ...
    (microsoft.public.scripting.vbscript)
  • Re: On error resume next on encoded VB script
    ... I have a vb script that changes the local admin password of a ... My script tries to change ... since only one of the usernames will actually work. ... 'Change password for French local admin account ...
    (microsoft.public.vb.general.discussion)
  • RE: Changing local admin PW using vb logon script - can it be encrypted?
    ... renaming the admin account is relatively weak "security by ... Subject: RE: Changing local admin PW using vb logon script - can it be ... > balance between functionality and protection". ...
    (Focus-Microsoft)
  • Re: problem with giving domain users local admim rights
    ... This logon script would actually need to be a start up script. ... It would be less administration if users had admin rights. ... security group to the local admin group on the workstation. ...
    (microsoft.public.win2000.group_policy)
  • Re: admin group in OU - help please
    ... You can use Windows Installer in conjunction with group policy to deploy ... Please do not send e-mail directly to this alias. ... >> macine I'm starting this script ... >> is not in a Local admin group the i get script error: ...
    (microsoft.public.win2000.security)