Re: Easy question on the local admin passwords

From: "Joe Richards [MVP]" <humorexpress@xxxxxxxxxxx>
Date: Fri, 07 Jul 2006 21:36:58 -0400

If someone can get localsystem or admin access rights there is NO safe way to do it. They simply throw a password change notification package on the machine and will get the clear text password given to them the instant you try to change it.

The easier way to pull a password from a startup script is to throw a network sniffer on the box and have it pull SMB traffic and then look at the script that comes down the wire.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net

---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

boomboom999@xxxxxxxxx wrote:

Steven L Umbach wrote:
With a Group Policy "startup" script users do not need read access to the
script in sysvol. You can remove authenticated users and add domain
computers with read/list/execute instead. You will also have a potential
problem in that the startup script will not be run until the computer is
restarted on the domain. You might want to use different local administrator
password on the laptops than the workstations. --- Steve

Thanks Steve,

That seems to be a more secure solution.
But I think it is still trivial to circumvent.
Any user that manages to run a script under LocalSystem (for any
reason) can acces the administrator password in clear text. As I can
trust totally all the workstations (there are some of them that are
operated by knowledgeable users with administrative rights) I would
prefer do not offer the password in that manner.

References:
- Easy question on the local admin passwords
  - From: boomboom999
- Re: Easy question on the local admin passwords
  - From: Steven L Umbach
- Re: Easy question on the local admin passwords
  - From: boomboom999

Prev by Date: Re: Easy question on the local admin passwords
Next by Date: Re: Easy question on the local admin passwords
Previous by thread: Re: Easy question on the local admin passwords
Next by thread: Re: Easy question on the local admin passwords
Index(es):
- Date
- Thread

Relevant Pages

Re: WMI script ran as LocalSystem
... What does the script look like at this point and what line gives this error? ... You can set a domain account with "hidden" password if you use the GUI scheduler, but I don't know about LocalSystem. ... Gerry Hickman (London UK) ...
(microsoft.public.win32.programmer.wmi)
Re: Switch user during script execution --help--
... >> Basically, this script runs as root, parses thru the shadow file to ... > as that disk file as input. ... Thanks Boyd! ... Password Change Notification' < /tmp/notification.txt"`); ...
(comp.lang.perl)
Re: WMI script ran as LocalSystem
... You can set a domain account with "hidden" password if you use the GUI scheduler, but I don't know about LocalSystem. ... The script runs fine under Admin account but not as LocalSystem and it runs fine as LocalSystem if the machine is Win2k3 SP1. ...
(microsoft.public.win32.programmer.wmi)
Re: Change Service Account
... I've change the script to ... >> I'll change the logon User for a Windows Service but I get an error in my ... >> LocalSystem to the User! ...
(microsoft.public.windows.server.scripting)
Re: WMI script launched by Scheduler
... Local System context run scripts should have access to do most everything ... However you will want to post the code of the script so that we can see what ... >fine as LocalSystem if the machine is Win2k3 SP1. ... >permissions have to be changes to allow a WMI script to ran from a service ...
(microsoft.public.windowsxp.wmi)