> -----Original Message----- > From: Jim Harrison (ISA) [mailto:[EMAIL PROTECTED] > Sent: Monday, December 05, 2005 2:15 PM > To: Thor (Hammer of God); Info; [EMAIL PROTECTED]; > [email protected] > Subject: RE: Changing local admin PW using vb logon script - > can it be encrypted? > > True enough, but to quote a tall, hairy dewd I've worked with > in front of a paying audience, "true security is a delicate > balance between functionality and protection". > > Agreed - if your users are the least bit savvy, this trick > will only buy you 5 minutes while they search for the script > decoder, but if they're of the "where is the anykey?" > variety, none of them will be any the wiser. > > Jim Harrison > Security Platform Group (ISA SE)
I've been following this thread as I similarly want to change the local admin password on multiple machines. I have to say I was a bit surprised to see this kind of advice - maybe all the users where you work are clueless, but I doubt that's the case in most organizations. And this isn't just some relatively useless information, it's the local admin account which I, as an intruder, would love to see "encoded" in a logon script. I missed the tall hairy "dewd" reference, and I agree that security must always be balanced by usability, but surely something as valuable as local admin ought to have more protection than that. I would theorize (having not tried this yet) that setting a registry key in Group Policy with the appropriate permissions and using a startup script (runs as local machine, rather than current user, if memory serves) instead of a logon script would be a fairly trivial way to accomplish this task securely. Sure it takes 10 minutes longer to set up but with the right permissions is far more secure and just as easy to maintain. Derick Anderson --------------------------------------------------------------------------- ---------------------------------------------------------------------------
