Administrator Password Frightfest
Here’s one other aspect of local administrator password management that may scare you.
Not much scares a network administrator. Ghosts, goblins, bats ... no problem. Compromised local administrator password? Run! Since today is Halloween, I thought I'd talk about something that most of you find very scary as part of your day-to-day administrative duties. With the power of local administrative rights, nothing scares most administrators more than an exploited local administrator password.
After reading my column, "Automating Local Admin Password Changes -- Readers Weigh In," Timothy Carroll wrote to me with some very good feedback. One point he mentioned: "Using a single password for all local admins is just not a good idea." This is true -- if one local administrator account password is learned, then a malicious user could have administrative access to every computer in your domain.
Tech Help—Just An
Got a Windows, Exchange or virtualization question
or need troubleshooting help? Or maybe you want a better
explanation than provided in the manuals? Describe
your dilemma in an e-mail to the MCPmag.com editors
the best questions get answered in this column and garner
the questioner with a nifty Redmond T-shirt.
When you send your questions, please include your
full first and last name, location, certifications (if
any) with your message. (If you prefer to remain anonymous,
specify this in your message, but submit the requested
information for verification purposes.)
Of course, there are a few ways around this, such as disabling the local administrator account on member systems in your domain. This can be done using Group Policy Objects. Of course, Linux boot disks, such as the Offline NT Password & Registry Editor boot disk, can be used to enable a disabled account, thus still potentially providing a way around this. Renaming the local administrator account is also a good idea and can be done via a GPO.
It'd be easy for me to just scare you about passwords and leave it at that. However, I want to share with you Timothy’s solution to local password management. Timothy wrote a tool called XS BAP (Bulk Admin Password tool). You can read his complete description of the tool here. Note that to use this tool, you will need Microsoft .NET Framework 1.1 installed on your system (work on a new, .NET Framework 2.0-supported version of XP BAP is under way).
With XS BAP, you can do the following:
- Change all local administrator passwords across your domain
- Set each local administrator password to a randomly generated complex password
- Unlock and enable all local administrator accounts
- Rename the local administrator account
To get started, you’ll need to download and install XS BAP. When you run the tool, just click the Computers menu and select Browse for Computers to Import. You can then select the computers in your domain, for example. Alternatively, you can manually enter computers into the tool by clicking on the Computer Name field in an empty row and entering the name.
Once the computers are imported (see Fig. 1), you can then set the local administrator password for each system by clicking the Passwords menu and then selecting Set Password(s) to Random Value. I prefer the random value option since it ensures that each local administrator password is unique. So if one local administrator password is learned, it will only be valid for the system on which it was discovered.
[Click on image for larger view.]
|Figure 1. Timothy Carroll's XS BAP tool has a simple interface for setting up randomly generated local admin passwords.
If you want to save the randomly generated passwords, just click the Reveal Passwords button and all new passwords will be displayed. You can then save the generated passwords to a file for future reference. Of course, you would want to highly protect this file. Once the new passwords are set, you will then just need to click the Update Passwords button and you will be all set.
While I don’t have any Halloween tricks up my sleeve, hopefully you’ll find this tool to be a nice Halloween treat.