I'm working on a mechanism to better handle group policy passwords in response to MS14-025. We formerly used this mechanism for setting the local admin account passwords on our workstations (primarily Windows 7)
To this end (see the method I've outlined below for specifics) my thought is to have these changed client side via a scheduled task and save the resulting password to a restricted access network drive. What kind of exposure am I creating by allowing these changes to occur locally, instead of pushing out from a central location?
The only thing I've come up with are memory scrapers and the ability to manipulate the random number generator.. Both of which should require admin rights already.
Background
Goals
- Avoid storing plain text passwords in a GPP item.
- Rotation on these passwords
- Set unique password per device (avoid pass the hash attacks)
Proposed Method
- Set up a scheduled task (deployed by group policy preference, using the system account)
- Schedule monthly / quarterly / whatever
- Run on local Admin login, after 30 minutes
- Task runs executable / script which will
- Set the admin password to a random string
- Save password to a network directory, using computer name for reference
- Enable auditing / restricted access rights / etc on this folder.
Combined with a secondary trigger - say 30 minutes after the local admin account is logged in to - and we'd have a pretty decent method for controlling these accounts with the additional benefit of knowing whomever is using the local Administrator account.
