If your password is the same on all of them the chances are once one is hacked, the whole bunch will be. Anyway, how can you be sure they aren't hacked? You can only prove you are hacked, not that you aren't.
Also consider this. I am an admin on Machine X and only on Machine X. You set the builtin admin so you can get in. I happened to have installed a password filter and picked off that password, I now am an admin on all of your workstations. Alternately I dump the same and crack it and have the same effect. Remember, I am the owner of the box if I physically sit at it. You can't stop me if I really want in and to do things. As you say, they are workstations, who cares. Set a random password with a random number of characters over 14 characters and forget about it. If you need in, crack the box, what does that add? Like a single reboot and maybe 2 minutes to the domain join time? Alternately if you don't want random passwords, you set the passwords based on some algorithm that uses info specific to the box and don't publish the algorithm. No matter what though, I would push for different passwords on every machine. joe -- O'Reilly Active Directory Third Edition - http://www.joeware.net/win/ad3e.htm -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Za Vue Sent: Tuesday, January 31, 2006 1:24 PM To: [email protected] Subject: Re: [ActiveDir] Reset Local Admin Passwords It is hard to keep track of 1000 local machines and their administrator accounts and passwords. I go with the idea of keeping them the same. Just run scripts to change them regularly and have strong passwords. I like to script everything. You mean you wan to have 1000 different admin accounts and passwords store on a spreadsheet? What if the SID corrupts than what? You have to open the file, browse over the names and passwords, etc. and log in locally and rejoin the domain. They are just workstations. So if one or two got hacked.. you re-image them. User files and folders are store on a server right? Turn off file sharing to the clients, they don't need file sharing turn on. If you need to remotely access(Hyena, Dameware, etc) manage the workstations than enable the firewall, but only allow access to the clients from a single workstation IP, your machine or multiple IPs. This should be done thru GPO. Block out the 65000+ ports and allow only ports you need...Kerberos, AD Replication(forced), DNS, etc. -Z.V. >Okay, just to offer a counterpoint to your underlying plan - you do >realise that by using a single local admin password across your >enterprise, if even -one- of those workstations gets the admin password >compromised, the attacker who did so now has local admin rights to >every workstation on your network? With apologies to Jesper >Johannsen[1], it's one of those "How to get your network hacked in 10 >easy steps" things - if I've just compromised the local admin password >of WorkstationA, what do you think is going to be the very first >password I try when I move on to try and compromise WorkstationB? > > >[1] And additional apologies for the fact that I'm sure I just spelled >his name wrong. > >-- >----------------------- >Laura E. Hunter >Microsoft MVP - Windows Server Networking >Author: _Active Directory Consultant's Field Guide_ (http://tinyurl.com/7f8ll) >List info : http://www.activedir.org/List.aspx >List FAQ : http://www.activedir.org/ListFAQ.aspx >List archive: >http://www.mail-archive.com/activedir%40mail.activedir.org/ > > List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/ List info : http://www.activedir.org/List.aspx List FAQ : http://www.activedir.org/ListFAQ.aspx List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
