OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Laura A. Robinson (laurarobinson_at_earthlink.net)
Date: Fri Aug 02 2002 - 16:05:41 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    In addition to the recommendation to not use the same password for all of
    the accounts, I, for one, prefer to just lock out the local admin accounts
    for over-the-network access. I'd rather they not be available at all except
    for local logon.

    Laura
    ----- Original Message -----
    From: <Fred.Langstonguardent.com>
    To: <mgreenemgreene.com>; <focus-mssecurityfocus.com>
    Sent: Thursday, August 01, 2002 9:53 PM
    Subject: RE: local admin passwords

    > Ah yes, the local admin password conundrum. There is no totally secure
    > method to change local admin passwords as they all need the "net user"
    > command which will change them with clear test over the wire. Other than
    > that 'small' problem, you can use one of many commercial tools available
    or
    > just write a script to do it. I would recommend against using the same
    > password on all systems as they will need to be changed every time someone
    > leaves the org. Use an encrypted database with a app/web front end that
    > scripts the whole operation. Only give out passwords on an as needed
    basis,
    > then script in a change after, say 24 hours, to set it to some complex,
    > preferably 15 character password (not L0pht-crackable). Also, enforce
    > password policy elements like 45 day changes. Remember to keep a couple
    old
    > passwords in the database history for users that may be logging in with
    > cached credentials and cannot connect to the network for an extended
    period.
    >
    > Of course, a Linux boot disk negates all this work, but this is the best
    > I've come up with for an enterprise local admin password solution. Good
    > luck!
    >
    > Fred Langston
    > Principal Consultant
    > W: 206.903.8147 x223 F: 206.903.1862 M: 425.765.3330
    > Seattle, WA www.guardent.com
    > ________________________________________
    > G U A R D E N T
    > Enterprise Security and Privacy Programs
    >
    >
    >
    > -----Original Message-----
    > From: Michael G. Greene [mailto:mgreenemgreene.com]
    > Sent: Thursday, August 01, 2002 9:16 AM
    > To: focus-mssecurityfocus.com
    > Subject: local admin passwords
    >
    >
    > Hello everyone. Well, I have given up resolving this issue on my own
    > and am seeking the minds of experts. Is there a SECURE, enterprise
    > method of regularly changing local admin passwords? By enterprise
    > method I mean to change the local admin password, on a regularly
    > scheduled interval, for every server and workstation machine, with a
    > scope capable of dealing with 1000+ machines. Of course, the passwords
    > should each change to a common string.
    >
    >
    >
    > Thanks
    >
    > Michael
    >