Not advice, per se; just one (admittedly simple) option among many offered herein.
As I stated, your techniques have to be balanced against the threats and functionality and clients you have to support. For instance, renaming the admin account is relatively weak "security by obscurity", but it stops the vast majority of script kiddie admin-seeking account attacks. Anyone with read access to the domain and a modicum of scripting skills can reverse-resolve the any SID to an account name and off they go. I can think of no less than three different mechanisms available to Windows scripting that would allow this... One thing to bear in mind is that if your users actually pose an active security threat as opposed to those that just bring in new and interesting forms of worms / viruses, then you have far more to worry about than just changing your local admin password via scripts... Jim Harrison Security Platform Group (ISA SE) If We Can't Fix It - It Ain't Broke! -----Original Message----- From: Derick Anderson [mailto:[EMAIL PROTECTED] Sent: Tuesday, December 06, 2005 5:19 AM To: [email protected] Subject: RE: Changing local admin PW using vb logon script - can it be encrypted? > -----Original Message----- > From: Jim Harrison (ISA) [mailto:[EMAIL PROTECTED] > Sent: Monday, December 05, 2005 2:15 PM > To: Thor (Hammer of God); Info; [EMAIL PROTECTED]; > [email protected] > Subject: RE: Changing local admin PW using vb logon script - > can it be encrypted? > > True enough, but to quote a tall, hairy dewd I've worked with > in front of a paying audience, "true security is a delicate > balance between functionality and protection". > > Agreed - if your users are the least bit savvy, this trick > will only buy you 5 minutes while they search for the script > decoder, but if they're of the "where is the anykey?" > variety, none of them will be any the wiser. > > Jim Harrison > Security Platform Group (ISA SE) I've been following this thread as I similarly want to change the local admin password on multiple machines. I have to say I was a bit surprised to see this kind of advice - maybe all the users where you work are clueless, but I doubt that's the case in most organizations. And this isn't just some relatively useless information, it's the local admin account which I, as an intruder, would love to see "encoded" in a logon script. I missed the tall hairy "dewd" reference, and I agree that security must always be balanced by usability, but surely something as valuable as local admin ought to have more protection than that. I would theorize (having not tried this yet) that setting a registry key in Group Policy with the appropriate permissions and using a startup script (runs as local machine, rather than current user, if memory serves) instead of a logon script would be a fairly trivial way to accomplish this task securely. Sure it takes 10 minutes longer to set up but with the right permissions is far more secure and just as easy to maintain. Derick Anderson ------------------------------------------------------------------------ --- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
