RE: Changing local admin PW using vb logon script - can it be encrypted?



Not advice, per se; just one (admittedly simple) option among many
offered herein.

As I stated, your techniques have to be balanced against the threats and
functionality and clients you have to support.

For instance, renaming the admin account is relatively weak "security by
obscurity", but it stops the vast majority of script kiddie
admin-seeking account attacks. Anyone with read access to the domain
and a modicum of scripting skills can reverse-resolve the any SID to an
account name and off they go. I can think of no less than three
different mechanisms available to Windows scripting that would allow
this...

One thing to bear in mind is that if your users actually pose an active
security threat as opposed to those that just bring in new and
interesting forms of worms / viruses, then you have far more to worry
about than just changing your local admin password via scripts...

Jim Harrison
Security Platform Group (ISA SE)
If We Can't Fix It - It Ain't Broke!

-----Original Message-----
From: Derick Anderson [mailto:danderson@xxxxxxxxx]
Sent: Tuesday, December 06, 2005 5:19 AM
To: focus-ms@xxxxxxxxxxxxxxxxx
Subject: RE: Changing local admin PW using vb logon script - can it be
encrypted?



> -----Original Message-----
> From: Jim Harrison (ISA) [mailto:Jim.Harrison@xxxxxxxxxxxxx]
> Sent: Monday, December 05, 2005 2:15 PM
> To: Thor (Hammer of God); Info; tth8@xxxxxxxxxxx;
> focus-ms@xxxxxxxxxxxxxxxxx
> Subject: RE: Changing local admin PW using vb logon script -
> can it be encrypted?
>
> True enough, but to quote a tall, hairy dewd I've worked with
> in front of a paying audience, "true security is a delicate
> balance between functionality and protection".
>
> Agreed - if your users are the least bit savvy, this trick
> will only buy you 5 minutes while they search for the script
> decoder, but if they're of the "where is the anykey?"
> variety, none of them will be any the wiser.
>
> Jim Harrison
> Security Platform Group (ISA SE)

I've been following this thread as I similarly want to change the local
admin password on multiple machines. I have to say I was a bit surprised
to see this kind of advice - maybe all the users where you work are
clueless, but I doubt that's the case in most organizations. And this
isn't just some relatively useless information, it's the local admin
account which I, as an intruder, would love to see "encoded" in a logon
script.

I missed the tall hairy "dewd" reference, and I agree that security must
always be balanced by usability, but surely something as valuable as
local admin ought to have more protection than that.

I would theorize (having not tried this yet) that setting a registry key
in Group Policy with the appropriate permissions and using a startup
script (runs as local machine, rather than current user, if memory
serves) instead of a logon script would be a fairly trivial way to
accomplish this task securely. Sure it takes 10 minutes longer to set up
but with the right permissions is far more secure and just as easy to
maintain.

Derick Anderson

------------------------------------------------------------------------
---
------------------------------------------------------------------------
---


---------------------------------------------------------------------------
---------------------------------------------------------------------------



Relevant Pages

  • Re: How to redirect output of shell command using WMI
    ... > I want to redirect the output of command executed on remote machine. ... > It should not be security credentials problem, becuase I am 'local admin' ... Note that it is one thing for your local wmi script to tell the ...
    (microsoft.public.windows.server.scripting)
  • SUMMARY WAS: OT? Philosophical Question on SA responsibilities
    ... helpful for managers interested in hiring new administrators. ... Would you go thru the 14,600 messages in root and admin ... If I was a new SA I would if encountering a security hole, ... I can see some use for the passwd -s part of the crontab script, ...
    (SunManagers)
  • Re: Clarification-Win2k Netstat sockets interpretation
    ... snip.. ... Before I could manually download every security upate and servicepack from MS.com but now...they send you a bit of Cop-code that fails to run unless ALL defences are down ... Are you sure the script from ntsvcfg is benign in addition to being useful? ... You are absolutely correct there HAL, er ah, Sebastian. ...
    (alt.computer.security)
  • [NT] Flaw in Windows Script Engine Could Allow Code Execution
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... The Windows Script Engine provides Windows operating systems with the ... blocked by Outlook Express 6.0 and Outlook 2002 in their default ...
    (Securiteam)
  • Re: BUG with RES/SCRIPT/XP-SP2
    ... I consider JavaScript (known to security people as JavaVirus) as one of the Really Top ... to have a bad script cause damage to my machine. ... This security feature is called the "Local Machine Zone Lockdown". ... Tags, and the CDHtmlDialog class in this forum, and got no response. ...
    (microsoft.public.vc.mfc)