>And then, how are you going to store the private key securely? All you’ve done >is move what needs to be protected from the text file to the private key.
Yes, but don’t all authorization/cryptographic issues reduce to protecting a private key/secret? I wasn’t clear – the private key would not be on the server, instead shared directly on technician computers. And the private key would be password-protected, as well. >Also, I don’t get the bit about “append access” – I don’t know how you append >something to an encrypted file without decrypting it. I wasn’t clear here, either. My solution is plain-text ASCII-armored PGP, which can be blind-appended to text files while keeping the integrity of individual units of encrypted information. The goal of this solution is that the computer sending the password to a central repository never knows anything that could reverse the process. And once it’s stored, access to it is ACL protected, audited, and armored with a layer of encryption that can only be defeated with further intrusions, increasing risk of detection. It’s a hacky way to do it, but it does work - and all with only a little bit of basic batch scripting. There are many people who are trying to make things better who will not have access or trust to extend the AD schema. This is a solution that works for them. Microsoft’s solution is the better one in the end. But this is another option for anyone with basic scripting skills who needs it. Daniel Wolf From: [email protected] [mailto:[email protected]] On Behalf Of Ken Schaefer Sent: Wednesday, November 5, 2014 6:43 PM To: [email protected] Subject: RE: [NTSysADM] Has anyone implemented this solution? And then, how are you going to store the private key securely? All you’ve done is move what needs to be protected from the text file to the private key. The stuff about ACLs is kinda moot, as you’d have ACLs to protect the plain text file, or ACLs to protect the private key. Also, I don’t get the bit about “append access” – I don’t know how you append something to an encrypted file without decrypting it. But that’s not a fatal issue. In all these things, technology isn’t the issue. Something Bruce Schneier acknowledges in Secrets and Lies. Applied Cryptography gave us all this great technical information on how to protect things with encryption. But it’s not encryption that’s the weak point. Cheers Ken From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Daniel Wolf Sent: Thursday, 6 November 2014 10:47 AM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Has anyone implemented this solution? Public key encryption is the answer. You set a random password, encrypt it with a public key and send it to a text file named after the computer’s name on a network share with append-only access for non-IT accounts. When you need a password you grab the text file from the network share, decrypt it with the private key, and you’re golden. With file auditing on the server share, you even have logs of who’s looked at each file. Breaking this model then requires someone have the private key, AND the password to unlock the private key, AND to steal IT credentials to read the files (ACL-based security). You can take even further steps for additional defense in depth, but this basic layout accomplishes almost every goal most people bring up. Daniel Wolf From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Ken Schaefer Sent: Wednesday, November 5, 2014 5:11 PM To: [email protected]<mailto:[email protected]> Subject: RE: [NTSysADM] Has anyone implemented this solution? Where are you going to store the encryption key? From: [email protected]<mailto:[email protected]> [mailto:[email protected]] On Behalf Of Matthew W. Ross Sent: Thursday, 6 November 2014 4:06 AM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] Has anyone implemented this solution? Yes, if the file it's in is encrypted. --Matt Ross Ephrata School District Kennedy, Jim <[email protected]<mailto:[email protected]>> , 11/5/2014 5:35 AM: Are you two ok with storing important passwords in text document on a share and using ACL’s to secure that? From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Matthew W. Ross Sent: Tuesday, November 4, 2014 7:52 PM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] Has anyone implemented this solution? If you don't trust Windows based ACLs, how do you secure anything in Windows? --Matt Ross Ephrata School District Michael B. Smith <[email protected]<mailto:[email protected]>> , 11/4/2014 4:46 PM: Do you trust Windows ACL-based security? If not - well, you might have a lot of other concerns as well. -----Original Message----- From: [email protected]<mailto:[email protected]> [mailto:[email protected]<mailto:[email protected]>] On Behalf Of Kurt Buff Sent: Tuesday, November 4, 2014 7:41 PM To: [email protected]<mailto:[email protected]> Subject: Re: [NTSysADM] Has anyone implemented this solution? Yes, they are stored in plain text in the AD field. That's something to think about, and something to test in the lab. Kurt On Tue, Nov 4, 2014 at 4:18 PM, Kennedy, Jim <[email protected]<mailto:[email protected]>> wrote: > My kid just pointed out that in the fine print it states the passwords > are stored in plain text. Yea the are restricted access but still..... > > > Comments mention you can get then encrypted with Premier. > > ------ Original message------ > > From: Kurt Buff > > Date: Tue, Nov 4, 2014 3:51 PM > > To: [email protected]<mailto:[email protected]>; > > Subject:Re: [NTSysADM] Has anyone implemented this solution? > > Cool. I'll see if I can lab this up, and if I get it working, I'll > report back. > > Thanks! > > Kurt > > On Tue, Nov 4, 2014 at 12:35 PM, Kennedy, Jim > <[email protected]<mailto:[email protected]>> wrote: >> Ok, got one confirmation from Twitter that it deployed with no >> problems and works as advertised. >> >> -----Original Message----- >> From: [email protected]<mailto:[email protected]> >> [mailto:[email protected]<mailto:[email protected]>] >> On Behalf Of Kurt Buff >> Sent: Tuesday, November 4, 2014 2:42 PM >> To: [email protected]<mailto:[email protected]> >> Subject: [NTSysADM] Has anyone implemented this solution? >> >> If so, how did it go? Any gotchas? >> >> Blog article on implementation >> >> http://blogs.technet.com/b/askpfeplat/archive/2014/05/19/how-to-autom >> ate-changing-the-local-administrator-password.aspx >> >> Code for the project >> https://code.msdn.microsoft.com/Solution-for-management-of-ae44e789 >> >> I might have the chance to implement, but wanted feedback before I >> put it up in a lab. >> >> Thanks, >> >> Kurt >> >> > >
