Re: Builtin administrator password strategy ?
- From: Pascal <pascal_t@xxxxxxxxxxxxxxxxxx>
- Date: Tue, 24 Apr 2007 15:25:27 +0200
Presently I am setting the password the same over the servers.
I have script that does this, previously used modules (evolved
over time) to make these per-machine unique, based on passphrase
generation in pseudorandom fashion with custom complexity reqs.
The password length is long beyond human tolerance. We do not
use the local admin accounts unless the machine is not network alive,
so the strength of the password is only a slowdown in the rare event
the account is used. Even with the rainbow methods you mention,
hitting against multiple machines trying for one password, I am not
too concerned because of the following: I get reports that show
high pwd-failure login attempt origin points consolidated from
server set of choice, I generally have the local admin account set
so that it is not useful over the network but only for console login,
the pwd used is quite long, complex, randomish.
"Pascal" <pascal_t@xxxxxxxxxxxxxxxxxx> wrote in message news:mn.c2e67d7480512a8a.70874@xxxxxxxxxxxxxxxxxxxxxI did this once in a very big environment. We actually used a password setting utility (PASSGEN) that created pseudo random passwords based on two pieces of seed material, so the password was actually randomly generated at boot time. We used a fixed pass phrase and the computer name as the other seed. The goal wasn't to keep the password secret from administrators, but to enable you to give out the local admin password for one server without compromising the whole environment. Being a systems integrator I just put this in place and don't manage it, so I imagine that after stuffing around with it for a few months they probably reset them all to Passw0rd.
"Pascal" <pascal_t@xxxxxxxxxxxxxxxxxx> wrote in message news:mn.bc1f7d74f2b9dd7f.70874@xxxxxxxxxxxxxxxxxxxxxHi,
I would like to know what are your advices about configuring different builtin\administrator password for each server on your domain.
It is quite unsecure to configure every servers with the same admin password, so I would like to know how do you manage this ?
Do you have an excel file with every passwords listed ? (lol)
Do you have a method to give a password depending on the role of the server ? like Admin1saF1rew@ll, AdminExch@nge etc...
Do you have some advices ! :D
Thank you
-- Pascal
Thank you everybody for your answers and different point of view !
I totally agree that it is really hard to manage admin password if they are different from every servers.
I am just interested about the risk of configuring the same admin password on every servers. An attacker could potentially crack this password and gain access on every computers on the domain (and the DC's too so)
We can find some websites that propose distributed cracking method that can crack a 15 passwords lenght in few minutes or hours so ... :D
P.S: Sorry for my "bad" english ;-)
-- Pascal
Thank you for your feedback Roger.
I am not using the local admin password too, and I audit it regularly.
How do you get reports that show high password failure login attempt ?
The possible of sending me an alert that after 20 consecutive failed password attempt interests me :D
Thank you
--
Pascal
.
- Follow-Ups:
- Re: Builtin administrator password strategy ?
- From: Roger Abell [MVP]
- Re: Builtin administrator password strategy ?
- References:
- Builtin administrator password strategy ?
- From: Pascal
- Re: Builtin administrator password strategy ?
- From: Jeremy
- Re: Builtin administrator password strategy ?
- From: Pascal
- Re: Builtin administrator password strategy ?
- From: Roger Abell [MVP]
- Builtin administrator password strategy ?
- Prev by Date: Re: simple site/subnet question
- Next by Date: RE: CLARIFICATION: Reconnecting a DC whose roles were seized
- Previous by thread: Re: Builtin administrator password strategy ?
- Next by thread: Re: Builtin administrator password strategy ?
- Index(es):
Relevant Pages
|
Loading
