It is hard to keep track of 1000 local machines and their administrator
accounts and passwords. I go with the idea of keeping them the same.
Just run scripts to change them regularly and have strong passwords. I
like to script everything. You mean you wan to have 1000 different admin
accounts and passwords store on a spreadsheet? What if the SID corrupts
than what? You have to open the file, browse over the names and
passwords, etc. and log in locally and rejoin the domain. They are just
workstations. So if one or two got hacked.. you re-image them. User
files and folders are store on a server right?
Turn off file sharing to the clients, they don't need file sharing turn
on. If you need to remotely access(Hyena, Dameware, etc) manage the
workstations than enable the firewall, but only allow access to the
clients from a single workstation IP, your machine or multiple IPs. This
should be done thru GPO. Block out the 65000+ ports and allow only ports
you need...Kerberos, AD Replication(forced), DNS, etc.
-Z.V.
Okay, just to offer a counterpoint to your underlying plan - you do
realise that by using a single local admin password across your
enterprise, if even -one- of those workstations gets the admin
password compromised, the attacker who did so now has local admin
rights to every workstation on your network? With apologies to Jesper
Johannsen[1], it's one of those "How to get your network hacked in 10
easy steps" things - if I've just compromised the local admin password
of WorkstationA, what do you think is going to be the very first
password I try when I move on to try and compromise WorkstationB?
[1] And additional apologies for the fact that I'm sure I just spelled
his name wrong.
--
-----------------------
Laura E. Hunter
Microsoft MVP - Windows Server Networking
Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll)
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
