I haven't tried it, but I would have assumed (I know, I know) that if somebody *could* gain the computer account password: 1) you have much bigger issues 2) they would have access to a machine. See #1 3) they would have access to anything that authenticated users have access to. See #1 4) they know enough about your systems to mount a pretty good attack. See #1
IIRC, machine accounts can get old for various but legitimate reasons. Consider a laptop that hasn't been back on your trusted network for over 30 days. It would have an old password, but it may be legitimate and may come back to your network in the next 60 and would be able to synchronize it's password changes then. You really have to protect the source of the machine account password which is random and is not readily available. Do you have a way to get the machine account passwords? If so, why? And if you have them, why don't you just go after the user passwords? On 1/8/07, Mr Oteece <[EMAIL PROTECTED]> wrote:
What are the risks associated with the exposure of machine account passwords in Active Directory? Passwords are changed for machine accounts regularly, but they don't really expire and can get rather old. If an attacker has access to this password, what sort of access would he have to other systems on the network via Kerberos? i.e., would he be able to forge service tickets as other users and elevate his access elsewhere? The laxness of policy surrounding these accounts suggests that this is not a huge risk. Should we be more concerned with these old passwords? Otis
