Re: Easy question on the local admin passwords

Or even why worry about a local password on workstations. Set the account to a random long impossible to remember password (different for every machine) and when you need to get into a machine and domain creds aren't working, reset the password with one of the hack CDs.

joe

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm



Roger Abell [MVP] wrote:
I have looked at this common need from a few angles.
The startup script has the obvious issues already discussed.
Use of a script run on need (your option 2) has issues with
what passes over the wire, or as Joe pointed out, issues if
a pwd change intercept has been implanted.

The more I have considered this I have come to believe that
a large part of the problem is the use of "a" password, or a
"relatively simple" password scheme, for 100's or 1000's of
machines.

This is especially true if there are any less than fully trusted
people allowed an admin account on any of those machines,
or even crafty enough people with limited accounts that might
quickly be opportunistic when there is an unpatched privilege
elevation exploit available. In either case they are cracking
the SAM and getting the key to the 100's or 1000's.

What I am very uncomfortable with is the scenario where an
invader, a real bad guy/app, gets that password and the org
discovers that it has no way to react, no way to halt the access
within a decent timeframe.

This has lead me to explore having local admin passwords
unique, or even long random unremembered strings.

To date my ideas have leaned toward asking, why does a
large environment use the local admin account? What if there
were domain accounts in Administrators that are guaranteed
useful via cached login if there is a connectivity issue? Is this
transferring of the crack exposure from the SAM to the store
of cached credentials worth the effort?

The alternative seems to be a startup script that only triggers
a callback, such as a database lookup that returns (within
encryption) what should become the password for that one
machine. You can pencil out the details, stored proc so a
machine can only get what relates to its credentials; access
method for support staff to get current for specified machine,
etc.; startup script triggered to do this at closest date after
some periodic threshold, etc.. Also, there are third-party
group policy extensions, and other management clients,
that can replace the startup script bootstrap.

But this second alternative does not get past the issue Joe
mentioned relative to change notification (but each machine
would have its own password.

In short, there are very real dangers in how people commonly
set up access on small and large groups of machine. There seems
however no clear, best solution, at least that I have found, which
has no drawbacks. This may be a good example of the triangle,
cheap-functional-secure, rule that you can have any two.

Roger


<boomboom999@xxxxxxxxx> wrote in message news:1152305658.872352.40770@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Windows XP/2003, Active Directory, SMS 2003

How can I change regularly the local administrator's password on 4000
workstations?

GPO? SMS?

Option 1 - Use SMS or GPO for that purpose

In that case, I will need to place the password in SMS packages or in
GPO scripts which is not good because the SMS packages and GPO scripts
can be read by users and the password can be easily discovered.

Option 2 - Use some script that goes thru AD and changes the password
remotely on all PCs, one by one

That seems to be a good idea but not all workstations are static. There
are laptops. So, sometimes they are absent so they will miss the
password change quite often.

Any idea or advice?



.

Relevant Pages

  • Re: Rollback Solution / Password Reset
    ... Mike Davidson Ireland ... environment where workstations are loosing connection to the Domain. ... the server is throwing the account off the domain. ... Instead of the website you're using, I suggest to use OEx (Outlook Express ...
    (microsoft.public.windows.server.active_directory)
  • Re: New Domain Name
    ... Danny wrote: ... Presently my workstations log on to mydomain.ca and ... transfer Files and Settings to new profile? ... account of user that utilizes this particular machine. ...
    (microsoft.public.windowsxp.setup_deployment)
  • Controls for client machines
    ... I am trying to assess the risks that this causes to local data files and network security in general. ... For NT workstations it would be possible to use a NTFSDOS boot disk to ... allows the password of any local account to be set. ... domain account while disconnected from the network. ...
    (microsoft.public.security)
  • RE: Assigning an application
    ... Give the share authenticated user access so the computer can access the .msi. ... result they run in the context of the localSystem account on a computer. ... If a startup script needs to access network resources (e.g. a server ... Authenticated Users and can thus access any network resources that a member ...
    (microsoft.public.win2000.general)
  • Re: Controls for client machines
    ... floppy - cd drive or at least not able to boot from is a good first step ... For these workstations I ... > allows the password of any local account to be set. ... > domain account while disconnected from the network. ...
    (microsoft.public.security)