Re: Builtin administrator password strategy ?


"Pascal" <pascal_t@xxxxxxxxxxxxxxxxxx> wrote in message
news:mn.c39d7d7437dd662c.70874@xxxxxxxxxxxxxxxxxxxxx
Presently I am setting the password the same over the servers.
I have script that does this, previously used modules (evolved
over time) to make these per-machine unique, based on passphrase
generation in pseudorandom fashion with custom complexity reqs.
The password length is long beyond human tolerance. We do not
use the local admin accounts unless the machine is not network alive,
so the strength of the password is only a slowdown in the rare event
the account is used. Even with the rainbow methods you mention,
hitting against multiple machines trying for one password, I am not
too concerned because of the following: I get reports that show
high pwd-failure login attempt origin points consolidated from
server set of choice, I generally have the local admin account set
so that it is not useful over the network but only for console login,
the pwd used is quite long, complex, randomish.


"Pascal" <pascal_t@xxxxxxxxxxxxxxxxxx> wrote in message
news:mn.c2e67d7480512a8a.70874@xxxxxxxxxxxxxxxxxxxxx
I did this once in a very big environment. We actually used a password
setting utility (PASSGEN) that created pseudo random passwords based on
two pieces of seed material, so the password was actually randomly
generated at boot time. We used a fixed pass phrase and the computer
name as the other seed. The goal wasn't to keep the password secret
from administrators, but to enable you to give out the local admin
password for one server without compromising the whole environment.
Being a systems integrator I just put this in place and don't manage
it, so I imagine that after stuffing around with it for a few months
they probably reset them all to Passw0rd.
"Pascal" <pascal_t@xxxxxxxxxxxxxxxxxx> wrote in message
news:mn.bc1f7d74f2b9dd7f.70874@xxxxxxxxxxxxxxxxxxxxx
Hi,

I would like to know what are your advices about configuring different
builtin\administrator password for each server on your domain.

It is quite unsecure to configure every servers with the same admin
password, so I would like to know how do you manage this ?

Do you have an excel file with every passwords listed ? (lol)
Do you have a method to give a password depending on the role of the
server ? like Admin1saF1rew@ll, AdminExch@nge etc...
Do you have some advices ! :D

Thank you

-- Pascal



Thank you everybody for your answers and different point of view !

I totally agree that it is really hard to manage admin password if they
are different from every servers.
I am just interested about the risk of configuring the same admin
password on every servers. An attacker could potentially crack this
password and gain access on every computers on the domain (and the DC's
too so)

We can find some websites that propose distributed cracking method that
can crack a 15 passwords lenght in few minutes or hours so ... :D

P.S: Sorry for my "bad" english ;-)

-- Pascal



Thank you for your feedback Roger.

I am not using the local admin password too, and I audit it regularly.
How do you get reports that show high password failure login attempt ?

The possible of sending me an alert that after 20 consecutive failed
password attempt interests me :D

Thank you


Hi Pascal,

I use WMI to query event logs, iterating through set of servers
and either stuffing to database or in memory collection adding
tagging for server of origin eventlog. This is timestamp ordered
and also ordered by "client" i.e. remote machine originating the
event. Characteristically eventing on "20 consecutive failed"
would not be that useful; first, just what does consecutive mean;
second, the common pattern is origin of attempts hammers for
some seconds here, there, somewhere else, etc. waits for hours
and tries some more (other patterns are of course also common).
One cannot use eventlog entry eventing since that is for one
eventlog (i.e. one machine).

Roger



.

Relevant Pages

  • Re: Builtin administrator password strategy ?
    ... generation in pseudorandom fashion with custom complexity reqs. ... use the local admin accounts unless the machine is not network alive, ... The goal wasn't to keep the password secret from administrators, but to enable you to give out the local admin password for one server without compromising the whole environment. ...
    (microsoft.public.windows.server.active_directory)
  • Re: Migrated User Profiles not applied unless user has local admin rig
    ... It is apparently a permissions issue, or a policy setting enforced by the SBS server. ... I then deployed the new system, logged on as the users to create the folder structure, then logged on as the Domain Admin, and overwrote the new local profiles with the copies stored on the server. ... When logging on as the user without local admin rights, none of the users settings were applied. ...
    (microsoft.public.windowsxp.general)
  • Re: Registry
    ... open query analyzer using just my Windows login even ... though I'm not mapped into the logins on the sql server. ... I get in simply because I'm local admin. ...
    (microsoft.public.sqlserver.security)
  • Re: users can access and view shares that they shouldnt be able to. HELP!
    ... I have set up a new file server as part of our migration from SBS2003 ... Make sure your domain admin credentials are different from your local admin ... the shares. ...
    (microsoft.public.windows.server.sbs)
  • Re: Time sync GPO users not members of local pc admin
    ... Also check that the DNS is set to the SERVER for all clients and that either ... > pcs are 2000 professional but finding time sync with server isn't working ... > with users not being members of local admin on pc. ... if the workstation time is off from the server time by more ...
    (microsoft.public.windows.server.sbs)
Loading