Re: Easy question on the local admin passwords
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Fri, 7 Jul 2006 23:44:52 -0700
I have looked at this common need from a few angles.
The startup script has the obvious issues already discussed.
Use of a script run on need (your option 2) has issues with
what passes over the wire, or as Joe pointed out, issues if
a pwd change intercept has been implanted.
The more I have considered this I have come to believe that
a large part of the problem is the use of "a" password, or a
"relatively simple" password scheme, for 100's or 1000's of
machines.
This is especially true if there are any less than fully trusted
people allowed an admin account on any of those machines,
or even crafty enough people with limited accounts that might
quickly be opportunistic when there is an unpatched privilege
elevation exploit available. In either case they are cracking
the SAM and getting the key to the 100's or 1000's.
What I am very uncomfortable with is the scenario where an
invader, a real bad guy/app, gets that password and the org
discovers that it has no way to react, no way to halt the access
within a decent timeframe.
This has lead me to explore having local admin passwords
unique, or even long random unremembered strings.
To date my ideas have leaned toward asking, why does a
large environment use the local admin account? What if there
were domain accounts in Administrators that are guaranteed
useful via cached login if there is a connectivity issue? Is this
transferring of the crack exposure from the SAM to the store
of cached credentials worth the effort?
The alternative seems to be a startup script that only triggers
a callback, such as a database lookup that returns (within
encryption) what should become the password for that one
machine. You can pencil out the details, stored proc so a
machine can only get what relates to its credentials; access
method for support staff to get current for specified machine,
etc.; startup script triggered to do this at closest date after
some periodic threshold, etc.. Also, there are third-party
group policy extensions, and other management clients,
that can replace the startup script bootstrap.
But this second alternative does not get past the issue Joe
mentioned relative to change notification (but each machine
would have its own password.
In short, there are very real dangers in how people commonly
set up access on small and large groups of machine. There seems
however no clear, best solution, at least that I have found, which
has no drawbacks. This may be a good example of the triangle,
cheap-functional-secure, rule that you can have any two.
Roger
<boomboom999@xxxxxxxxx> wrote in message
news:1152305658.872352.40770@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Windows XP/2003, Active Directory, SMS 2003
How can I change regularly the local administrator's password on 4000
workstations?
GPO? SMS?
Option 1 - Use SMS or GPO for that purpose
In that case, I will need to place the password in SMS packages or in
GPO scripts which is not good because the SMS packages and GPO scripts
can be read by users and the password can be easily discovered.
Option 2 - Use some script that goes thru AD and changes the password
remotely on all PCs, one by one
That seems to be a good idea but not all workstations are static. There
are laptops. So, sometimes they are absent so they will miss the
password change quite often.
Any idea or advice?
.
- Follow-Ups:
- Re: Easy question on the local admin passwords
- From: Joe Richards [MVP]
- Re: Easy question on the local admin passwords
- References:
- Easy question on the local admin passwords
- From: boomboom999
- Easy question on the local admin passwords
- Prev by Date: Re: Easy question on the local admin passwords
- Next by Date: Newbie question: Exposure on logon?
- Previous by thread: Re: Easy question on the local admin passwords
- Next by thread: Re: Easy question on the local admin passwords
- Index(es):
Relevant Pages
|
