[Dshield] Change windows local passwords remotely

Al Reust areust at comcast.net
Sat Apr 3 02:18:13 GMT 2004


Daniel et al

This is stating the obvious that many have went through before, it also 
states what many will have to go through.

Yes, You can get it under control. Will it be easy? No!  Without Backing 
there is nothing you can do that will not felt to be an invasion of "their" 
privacy. So you need be very careful making Plans, provide Choices and 
Education... A portion of this education is directed to/approved by Management!

Go hire an outside company to do a Scan of the network and provide the 
"proper" security/risk assessment. The final report will open eyes.. Make 
sure you have access to the "real data" that the report was created from. 
That data tells you which machines are already "owned," which holes to plug 
first! Or what holes can be plugged... This also helps management decide 
what the balance between Freedom and Security really is... Or what the Co$t 
is going to be in Dollar$ to fix the problems. Otherwise "management" tells 
you to go out and create more anarchy (just don't get caught).

The compromise between Acceptable Security and Freedom (the balance)  is 
what "we" are all about. If the University cares more about Freedom than 
Security, then Isolate the LAN segments that the Users have access to, 
insure they can not access anything critical. So what the users lose files, 
it is only anarchy.

Setup VPN's and create a new user agreement that the machine has to meet 
minimum Security Standards before it is allowed to access any thing that 
could be considered a "critical" service. It's only money... So what 
"students" need to compile a file on a server in the "trusted" network... 
They are paying for the CS Degree they should be able to figure it out.

Your DMZ (untrusted) equals 15,000 computers. Let Anarchy Reign! You can 
always pull the cable and capture all the open proxies, worms, virus, 
captured, and controlled machines. They would be trapped and just feed on 
themselves. Then you have time to try to get the someuniversity.edu off 
whatever Blacklist..  But then that appears to be the same anarchy that 
"Freedom" promoted.

A properly functioning network has No Place for Anarchy! It does house 
machines that can meet "acceptable" risk. Routers/Firewalls reduce/mitigate 
those acceptable risks.

You then can manage the Trusted machines..  They are safe, depending on the 
risk assessment, You Did get a copy of the data in a format that you can use!

If the Help desk gets a call about a virus tell the user to turn it off.. 
You ignored "our" best practices and here is a list of local computer 
shops, they take Ca$h. When it is repaired please stop by the Student 
Center for the AUP and minimum acceptable security standards before it is 
allowed back onto the network. Order a 100+ of the M$ CD's and let them 
patch, Sign the CD's out like a book from the library state that it is a 
$100 fine for failure to return the CD. IT checks the machines before it is 
allowed back on the network! Enforce It!

Education:
    * Create an advertising campaign informing "15,000" why these steps are 
necessary.

    * Create intelligent resources so they can learn and decide for themselves.

    * Creates tools and easy access to programs that make them safe.

    * Create the value in making "their" computer safe and productive.

    * Create simple tools that are easy to use for people checking in. The 
tools take care of Virus software, Spyware and hotfixes. Burning CD's is cheap!


Email "everyone" with return receipt a copy of the AUP yes, all 15,000 
users. With a reasonable reply date (use a special return address). That 
gives you the list of who to help first..

Then 60% will co-operate. You then have "value."

The other 40% will have to be forced, for various reasons (anarchy). Then 
you can enforce anarchy.

75% of the resistance would be the administrators above you..

Then if some disgruntled student sends something to the newspapers then the 
University has the risk assessment to base a reasonable reply on. The one 
student falls into the proper perspective. Hmmmm 1 or 15,0000 which one 
would you choose? Who is reasonable?

For the Script/Tool that you asked about. Go get Dameware and then anyone 
with a Nul Password is "freshmeat." Set your password and drop a note on 
their desktop. Occasionally open and close the Cd tray Do Not tell them the 
Admin Password, create a User account in whatever Win OS.. Tell them as 
they leave the University, IT will glady reset the password for them. It is 
only Anarchy..

More, below

At 12:05 AM 4/1/2004 -0500, you wrote:

>Thanks, unfortunately this is going to be run in a university environment as
>such we do not have direct control/physical access to all the machines so I
>don't think this method would work (unless I'm misunderstanding what your
>trying to tell me it is late afterall :) )
>
>This is why we're looking for a tool that can attempt to login to the
>machine remotely using the c$ share for instance using a list of passwords,
>if it is successful it would reset the password and send the user a message
>to let them know we reset the password.

You have just violated their "privacy/freedom" unless you have their 
signature on a AUP or similar form that allows you to do that. Upi are 
Wrong! You should have had web pages that explained and showed them how and 
why before you get to this point. That is education which promoted 
co-operation..



>The procedure I see in my head would be something along the lines of
>
>1) Connect to a machine, see if it has a NULL password or a weak password
>from a predefined list of bad passwords
>
>2) if it can login with the given passwords, it should reset the password to
>something better (random strings or predefined, I'm easy)
>
>3) after a successful password change send the machine a winpopup telling
>them the administrator password was insecure and has been changed for their
>protection, any questions can be directed to <insert email> and <insert
>phone>

This presumes that they have another account that is a user.. Then someone 
else has access to the "administrator account" other than the Person that 
owns the computer or the Domain administrator... How many ways can you say 
bad idea? Either the "Domain Admin" and the "User" owns the machine or 
everyone owns the machine. Normally Help has a reduced account that can fix 
most problems. That would normally be controlled by Policy and Permissions. 
But then that Help Account would have to be created and the proper tools 
installed to do remote help.


>4) ideally list the IP:NetBIOS_NAME:OLD_PASS:NEW_PASS in a text file on the
>scanning machine.
>
>I'm probably going to end up spending the weekend learning VB to take care
>of it, but thought I'd throw the question open to see if I didn¹t have to
>re-invent the wheel.

Most Win OS's respond to Windows Script Host which does not require Visual 
Basic. Go buy the book. What I sent would work on win 9.x. Obviously Mac or 
Nix would be out to Lunch. Your DHCP Servers can tell you what OS that the 
machine uses, it is only another scripts to produce the computer list.

Call M$ define the problems and ask how you can resolve it.. You may find 
that they can offer valuable advice that the University Administrators can 
understand.


Phew <Snipped>

It is Late and with 6 hours of meetings today.. My mind hurts. Then it is 
Friday and I wanted to make sure before I sent the message. To Hell with 
grammar... You are in a Pickle...

R/

Al




More information about the list mailing list