Sorry I didn't respond back earlier, much needed holiday time off. In any
case, let me attempt to address all of your points.
1) With regards to VMWare and SAN boot machines, the same method can and
should apply. Each system would continue to maintain its local copy of the
SAM database. As far as multi-OS and BMR (not familiar with this) images,
the same would apply. However, from the original message, I was basing my
statement on production systems (namely servers and not workstations). Now
as environments vary, many may have systems like this but in our
environment, we do not multi-OS production systems. Development/Staging
environment, yes we may have these, but we still use the same methods.
2) With regards to the script, this script is actually run from a secured
administrator workstation that makes the necessary calls to the target
systems to change the passwords. Nothing of this nature runs locally on the
targeted servers.
3) With regards to the password length, we maintain a strict domain
authentication policy. No one logs on locally to systems that are part of a
parent domain. The local passwords are secured both in a secure password
database, as well as sealed in envelopes locked in a safe. In my
organization, there are only 3 persons who have access to this database (I
and the 2 managers that report to me). As for the safe, only I and my
director has access to it. We have strict rules for situations when this
information has to be retrieved.
As I stated earlier, this type of policy and system may not work for all.
One would have to examine the environment that they are working in and put a
system in place that works best for them.
-----Original Message-----
From: Tim Eddy [mailto:EDDYT (at) stgeorge.com (dot) au [email concealed]]
Sent: Wednesday, November 26, 2003 16:24
To: JWHERBOLD (at) arkbluecross (dot) com [email concealed]; focus-ms (at) securityfocus (dot) com [email concealed]; Clark, Andre M.
Subject: RE: local admin account password
how do you deal with VMware sessions, and SAN boot servers that can be
powered off for long periods, and multi-os machines, and BMR images?
how do you securely get your password changing script out to all machines? I
assume your using a software delivery agent that is running under local
system. If your using a script to change it, then a user could just redirect
your script as it is run on the machine and get the new password.
if your password was 127 characters long, the admins would write it down on
bits of paper. If its easy enough for them to remember each week, then it
can be cracked within a week.
<snip>>>>>>>>>>>>>
>>> "Clark, Andre M." <Andre.Clark (at) timewarner (dot) com [email concealed]> 27/11/2003 4:35:30 am >>>
Folks,
I concur. This is what I do in my environment. Take note that if you have
Windows 2000, or higher systems, you can have a password up to 127
characters. Yes this is extreme but if anyone can crack a password that
long and get into your system you have other problems (i.e. how did a person
get the opportunity to spend that much time hitting against one system).
André M. Clark
Sr. Manager, Engineering & Support Services
<<<<<snip>
**********************************************************************
***** IMPORTANT INFORMATION *****
This document should be read only by those persons to whom
it is addressed and its content is not intended for use by
any other persons. If you have received this message in
error, please notify us immediately. Please also destroy and
delete the message from your computer. Any unauthorised form
of reproduction of this message is strictly prohibited.
St.George is not liable for the proper and complete transmission
of the information contained in this communication, nor for any
delay in its receipt.
**********************************************************************
========================================================================
======
This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the original recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you
========================================================================
======
case, let me attempt to address all of your points.
1) With regards to VMWare and SAN boot machines, the same method can and
should apply. Each system would continue to maintain its local copy of the
SAM database. As far as multi-OS and BMR (not familiar with this) images,
the same would apply. However, from the original message, I was basing my
statement on production systems (namely servers and not workstations). Now
as environments vary, many may have systems like this but in our
environment, we do not multi-OS production systems. Development/Staging
environment, yes we may have these, but we still use the same methods.
2) With regards to the script, this script is actually run from a secured
administrator workstation that makes the necessary calls to the target
systems to change the passwords. Nothing of this nature runs locally on the
targeted servers.
3) With regards to the password length, we maintain a strict domain
authentication policy. No one logs on locally to systems that are part of a
parent domain. The local passwords are secured both in a secure password
database, as well as sealed in envelopes locked in a safe. In my
organization, there are only 3 persons who have access to this database (I
and the 2 managers that report to me). As for the safe, only I and my
director has access to it. We have strict rules for situations when this
information has to be retrieved.
As I stated earlier, this type of policy and system may not work for all.
One would have to examine the environment that they are working in and put a
system in place that works best for them.
-----Original Message-----
From: Tim Eddy [mailto:EDDYT (at) stgeorge.com (dot) au [email concealed]]
Sent: Wednesday, November 26, 2003 16:24
To: JWHERBOLD (at) arkbluecross (dot) com [email concealed]; focus-ms (at) securityfocus (dot) com [email concealed]; Clark, Andre M.
Subject: RE: local admin account password
how do you deal with VMware sessions, and SAN boot servers that can be
powered off for long periods, and multi-os machines, and BMR images?
how do you securely get your password changing script out to all machines? I
assume your using a software delivery agent that is running under local
system. If your using a script to change it, then a user could just redirect
your script as it is run on the machine and get the new password.
if your password was 127 characters long, the admins would write it down on
bits of paper. If its easy enough for them to remember each week, then it
can be cracked within a week.
<snip>>>>>>>>>>>>>
>>> "Clark, Andre M." <Andre.Clark (at) timewarner (dot) com [email concealed]> 27/11/2003 4:35:30 am >>>
Folks,
I concur. This is what I do in my environment. Take note that if you have
Windows 2000, or higher systems, you can have a password up to 127
characters. Yes this is extreme but if anyone can crack a password that
long and get into your system you have other problems (i.e. how did a person
get the opportunity to spend that much time hitting against one system).
André M. Clark
Sr. Manager, Engineering & Support Services
<<<<<snip>
**********************************************************************
***** IMPORTANT INFORMATION *****
This document should be read only by those persons to whom
it is addressed and its content is not intended for use by
any other persons. If you have received this message in
error, please notify us immediately. Please also destroy and
delete the message from your computer. Any unauthorised form
of reproduction of this message is strictly prohibited.
St.George is not liable for the proper and complete transmission
of the information contained in this communication, nor for any
delay in its receipt.
**********************************************************************
========================================================================
======
This message is the property of Time Warner Inc. and is intended only for the use of the addressee(s) and may be legally privileged and/or confidential. If the reader of this message is not the intended recipient, or the employee or agent responsible to deliver it to the intended recipient, he or she is hereby notified that any dissemination, distribution, printing, forwarding, or any method of copying of this information, and/or the taking of any action in reliance on the information herein is strictly prohibited except by the original recipient or those to whom he or she intentionally distributes this message. If you have received this communication in error, please immediately notify the sender, and delete the original message and any copies from your computer or storage system. Thank you
========================================================================
======
------------------------------------------------------------------------
---
------------------------------------------------------------------------
---
[ reply ]