Comments
Managing The Local Admin Password Headache
Newest First  |  Oldest First  |  Threaded View
RobertL444
50%
50%
RobertL444,
User Rank: Apprentice
4/22/2014 | 11:04:40 PM
re: Managing The Local Admin Password Headache
Hello Will:

 

When you get an opportunity, please take a look at Synergix AD Client Extensions software.  It has a feature to manage Built-In Administrator Account Password.  The password is system generated ( from 8 characters to 48 characters that you set in a GPO ) and is stored in Active Directory.   Only designated administrators are allowed to retrieve the password.  In addition, you can create a backup administrator account.

The password is changed every 7 days ( configurable ) and validated every 24 hours.  This solution is not only useful for the remote laptop users who may have VPN connectivity issues but generally speaking ideal solution for the enterprise.

Take a look at http://www.synergix.com or write to [email protected]

 
Will N
50%
50%
Will N,
User Rank: Apprentice
3/20/2013 | 2:54:37 PM
re: Managing The Local Admin Password Headache
A random unknown password is only more secure to the extent someone doesn't need administrative rights.- The biggest nightmare for us is not having admin credentials when the user is remote.- An executive that can't update their VPN software or otherwise fix something is a nightmare for IT staff.-- The first tenent of security is data availability and my experience is that the most common security failure is this self inflicted denial of availability when someone needs admin and can't get it.

This must be a difficult problem to solve since no one is really
offering anything that works to keep admin credentials both secure, and
available when needed.

USB or CD booting for a password reset with some ugly tool like Kon Boot isn't really a viable solution for tech challenged road warriors. They have to carry along a cd or usb every time they leave the network?- Most people barely keep track of their power supply.
jeffmcjunkin
50%
50%
jeffmcjunkin,
User Rank: Apprentice
3/20/2013 | 4:13:46 AM
re: Managing The Local Admin Password Headache
Jeff McJunkin here, the author of the relevant article.

No, that particular solution doesn't give the ability to look up the random password. Group Policy scripts are inherently viewable by standard users, so any programmatic way of setting the local Administrator passwords would be discoverable in a trivial fashion by any authenticated user.

PXE booting to something like "NT Password Reset" or Kon-Boot does the trick for me (relevant article:-http://jeffmcjunkin.com/2012/0....

If you do end up setting per-desktop passwords, I'd recommend setting it to something like the first 16 characters of SHA1(desktop serial / identifier + known salt). Of course, the salt used in the hashing algorithm would become very important to keep secret.
kmasters787
50%
50%
kmasters787,
User Rank: Apprentice
3/17/2013 | 4:43:32 AM
re: Managing The Local Admin Password Headache
Great timing on this article! -I'll be pursuing a workable solution for my company very soon around unique local admin passwords. -For us, having the ability to find the random local admin password is a must. -(Execs always on the move that get locked out when 1000's of miles away) -Does the "...Randomization via GPO" solution give the ability to-look-up-the random password?


Game Change: Meet the Mach37 Fall Startups
Ericka Chickowski, Contributing Writer, Dark Reading,  10/18/2017
Why Security Leaders Can't Afford to Be Just 'Left-Brained'
Bill Bradley, SVP, Cyber Engineering and Technical Services, CenturyLink,  10/17/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.