13

Although there appears to be three available options, one of which is actually secure, there seems to be only two available choices that will be able to impact machines that are not powered on at the time of change or are mobile and were not on the network at time of change. Neither of the two appear to be a secure option. The three options that I'm aware of are:

  1. Startup scripts with .vbs
  2. GPO using Group Policy Preferences
  3. Powershell script as a scheduled task.

I dismiss the Powershell option because I don't know how to effectively target/iterate, and dismiss machines already changed, all the machines on the network and what impact that would have on unnecessary network overhead, even though it is probably the best available solution since the password itself can be stored in a CipherSafe.NET (3rd party solution) container and the password passed to the script to the targeted machine. I haven't checked to see if Powershell can get a password from the Credential Manager of a local Windows machine to use in the script or if it is possible to store a password there for use with the script either.

The .vbs script option is insecure because the password is stored in clear text in the SYSVOL share which is available to any domain machine on the network. Anyone that is looking to find a back door and with a bit of Google will find that door if persistent enough.

The GPO option is also insecure as noted by this MSDN note: http://code.msdn.microsoft.com/Solution-for-management-of-ae44e789

I'm searching for a non-3rd party solution which I think should be available or able to be developed in house with the right knowledge or guidance.

TheCleaner
  • 32,352
  • 26
  • 126
  • 188
Sn3akyP3t3
  • 860
  • 1
  • 8
  • 12
  • Migrated as suggested from here: http://security.stackexchange.com/questions/36411/what-is-the-industry-standard-method-for-administering-the-change-of-the-local-a – Sn3akyP3t3 Jun 20 '13 at 21:49
  • 1
    This might get closed, but I hope it doesn't. This is a great question. – MDMarra Jun 20 '13 at 22:16
  • What we have done in one case was using startup scripts to signal when a machine is online and used a server-side script to connect to the machine and set the password accordingly. This is still susceptible to network sniffing attacks, though. – the-wabbit Jun 28 '13 at 06:13

2 Answers2

5

I'm going to go ahead and take my comment to answertown.

It will have to be 3rd party. As you already pointed out, none of the three options you mention are optimal. Microsoft does not provide a perfect way of doing this. There just isn't one. It will be third party, and it will almost surely involve you installing a software agent on all your clients.

I developed a solution for this exact problem (except it worked across many forests and domains simultaneously,) and it did involve VBscript for maximum compatibility with as many different versions of Windows as possible, as well as some C# bits, as well as a 3rd party software agent that luckily the company was already using for monitoring purposes and was therefore already installed on every machine, that I was able to leverage.

Alternatively, you could just disable all local Admin accounts via GPO, which is pretty common. But if something goes wrong with domain sync on that domain member, recovery will be more of a PITA than if you had a recovery "local admin" account.

Edit: Just to clarify: I'm confused when you say that you're "searching for a non 3rd-party solution which ... should be able to be developed in house..." I would consider anything not written by Microsoft as a built in component of Windows in this context "3rd party." Can you do it with some clever code that uses TLS network communications and stores the secrets in a SQL Server database with transparent data encryption with some complex hash function that generates a unique password for each machine? YES. Is it built in to Windows with no effort required on your part? NO. :)

Ryan Ries
  • 55,011
  • 9
  • 138
  • 197
  • I agree , but I will recommend one choice, only because it is free and I've used it over and over with good success (it's not perfect but still). I really like that it updates the "description" field with whatever you want (like date changed and by who): http://searchenterprisedesktop.techtarget.com/tip/Change-a-local-admin-password-with-Local-Security-Utilityexe – TheCleaner Jun 20 '13 at 22:02
  • 1
    @TheCleaner Agreed - there are plenty of third-party solutions out there, which was my point, but nothing that comes "out of the box" with Windows. A clever software developer can make this happen, but, be careful that it meets all the security requirements that your company and its auditors will need. Such as... does this software transmit the password in clear text over the network? Etc. etc. – Ryan Ries Jun 20 '13 at 22:06
0

Well for the GPO option the Microsoft Article you pointed out (http://code.msdn.microsoft.com/Solution-for-management-of-ae44e789) specifies in its documentation (download the Documentation.zip file) this:

Transfer of password from managed computer to Active Directory is protected by Kerberos Encryption, so it is not possible to know the password by sniffing the network traffic.

Detailed Technical Specification - Management of password of local Administrator account - page 5

Maybe the article definition is not updated, so I say you take a look to the documentation and maybe do some testing while sniffing the traffic, that way you can be sure.

Termiux
  • 163
  • 1
  • 1
  • 8