[Dshield] Change windows local passwords remotely
areust at comcast.net
Sat Apr 3 02:18:13 GMT 2004
Daniel et al
This is stating the obvious that many have went through before, it also
states what many will have to go through.
Yes, You can get it under control. Will it be easy? No! Without Backing
there is nothing you can do that will not felt to be an invasion of "their"
privacy. So you need be very careful making Plans, provide Choices and
Education... A portion of this education is directed to/approved by Management!
Go hire an outside company to do a Scan of the network and provide the
"proper" security/risk assessment. The final report will open eyes.. Make
sure you have access to the "real data" that the report was created from.
That data tells you which machines are already "owned," which holes to plug
first! Or what holes can be plugged... This also helps management decide
what the balance between Freedom and Security really is... Or what the Co$t
is going to be in Dollar$ to fix the problems. Otherwise "management" tells
you to go out and create more anarchy (just don't get caught).
The compromise between Acceptable Security and Freedom (the balance) is
what "we" are all about. If the University cares more about Freedom than
Security, then Isolate the LAN segments that the Users have access to,
insure they can not access anything critical. So what the users lose files,
it is only anarchy.
Setup VPN's and create a new user agreement that the machine has to meet
minimum Security Standards before it is allowed to access any thing that
could be considered a "critical" service. It's only money... So what
"students" need to compile a file on a server in the "trusted" network...
They are paying for the CS Degree they should be able to figure it out.
Your DMZ (untrusted) equals 15,000 computers. Let Anarchy Reign! You can
always pull the cable and capture all the open proxies, worms, virus,
captured, and controlled machines. They would be trapped and just feed on
themselves. Then you have time to try to get the someuniversity.edu off
whatever Blacklist.. But then that appears to be the same anarchy that
A properly functioning network has No Place for Anarchy! It does house
machines that can meet "acceptable" risk. Routers/Firewalls reduce/mitigate
those acceptable risks.
You then can manage the Trusted machines.. They are safe, depending on the
risk assessment, You Did get a copy of the data in a format that you can use!
If the Help desk gets a call about a virus tell the user to turn it off..
You ignored "our" best practices and here is a list of local computer
shops, they take Ca$h. When it is repaired please stop by the Student
Center for the AUP and minimum acceptable security standards before it is
allowed back onto the network. Order a 100+ of the M$ CD's and let them
patch, Sign the CD's out like a book from the library state that it is a
$100 fine for failure to return the CD. IT checks the machines before it is
allowed back on the network! Enforce It!
* Create an advertising campaign informing "15,000" why these steps are
* Create intelligent resources so they can learn and decide for themselves.
* Creates tools and easy access to programs that make them safe.
* Create the value in making "their" computer safe and productive.
* Create simple tools that are easy to use for people checking in. The
tools take care of Virus software, Spyware and hotfixes. Burning CD's is cheap!
Email "everyone" with return receipt a copy of the AUP yes, all 15,000
users. With a reasonable reply date (use a special return address). That
gives you the list of who to help first..
Then 60% will co-operate. You then have "value."
The other 40% will have to be forced, for various reasons (anarchy). Then
you can enforce anarchy.
75% of the resistance would be the administrators above you..
Then if some disgruntled student sends something to the newspapers then the
University has the risk assessment to base a reasonable reply on. The one
student falls into the proper perspective. Hmmmm 1 or 15,0000 which one
would you choose? Who is reasonable?
For the Script/Tool that you asked about. Go get Dameware and then anyone
with a Nul Password is "freshmeat." Set your password and drop a note on
their desktop. Occasionally open and close the Cd tray Do Not tell them the
Admin Password, create a User account in whatever Win OS.. Tell them as
they leave the University, IT will glady reset the password for them. It is
At 12:05 AM 4/1/2004 -0500, you wrote:
>Thanks, unfortunately this is going to be run in a university environment as
>such we do not have direct control/physical access to all the machines so I
>don't think this method would work (unless I'm misunderstanding what your
>trying to tell me it is late afterall :) )
>This is why we're looking for a tool that can attempt to login to the
>machine remotely using the c$ share for instance using a list of passwords,
>if it is successful it would reset the password and send the user a message
>to let them know we reset the password.
You have just violated their "privacy/freedom" unless you have their
signature on a AUP or similar form that allows you to do that. Upi are
Wrong! You should have had web pages that explained and showed them how and
why before you get to this point. That is education which promoted
>The procedure I see in my head would be something along the lines of
>1) Connect to a machine, see if it has a NULL password or a weak password
>from a predefined list of bad passwords
>2) if it can login with the given passwords, it should reset the password to
>something better (random strings or predefined, I'm easy)
>3) after a successful password change send the machine a winpopup telling
>them the administrator password was insecure and has been changed for their
>protection, any questions can be directed to <insert email> and <insert
This presumes that they have another account that is a user.. Then someone
else has access to the "administrator account" other than the Person that
owns the computer or the Domain administrator... How many ways can you say
bad idea? Either the "Domain Admin" and the "User" owns the machine or
everyone owns the machine. Normally Help has a reduced account that can fix
most problems. That would normally be controlled by Policy and Permissions.
But then that Help Account would have to be created and the proper tools
installed to do remote help.
>4) ideally list the IP:NetBIOS_NAME:OLD_PASS:NEW_PASS in a text file on the
>I'm probably going to end up spending the weekend learning VB to take care
>of it, but thought I'd throw the question open to see if I didn¹t have to
>re-invent the wheel.
Most Win OS's respond to Windows Script Host which does not require Visual
Basic. Go buy the book. What I sent would work on win 9.x. Obviously Mac or
Nix would be out to Lunch. Your DHCP Servers can tell you what OS that the
machine uses, it is only another scripts to produce the computer list.
Call M$ define the problems and ask how you can resolve it.. You may find
that they can offer valuable advice that the University Administrators can
It is Late and with 6 hours of meetings today.. My mind hurts. Then it is
Friday and I wanted to make sure before I sent the message. To Hell with
grammar... You are in a Pickle...
More information about the list