increase your machines security with a unique local-administrator password

Set up Active Directory so that users who were locked outside their Windows machine and are off-site can nevertheless get access to their local machine in a secure, effective manner

In a nutshell:

  1. Extend the A/D Schema
    • For computer objects, add a localAdminPwd field
    • Set an ACL on this field: only accesible to Domain Admins and your helpdesk team
  2. Configure Group Policy
    • local administrator: denied log on from the network
  3. Set random password for each local administrator
    • Use a script to generate a random password
    • store password in A/D
    • set the password on the machine's administrator account
    • if you fail, role back so the two are always in sync
  4. Add scripts to the Active Directory Users and Computers administrative tool
    • "Get local admin password" - will show helpdesk members the current password for a given computer account
    • "Set local admin password" - will generate a random password and set it on the machine and in A/D (or roll back)
  5. (optional) Enable Paranoid mode
    • Add a 2nd field in A/D: pwdLastChanged
    • Use a scheduled task to change the local administrator password every so often in A/D and on the local machine

In action:

Suppose your CFO is on a business trip. Unfortunately, she forgot her Windows password. She is scheduled to give a keynote to a major client in 10 minutes (yeah well, I changed my password 3 days ago, can't remember it now. I didn't write it down, as you recommended but now I'm stuck!)

 Problem? No Problem
  • Locate the computer in A/D. Right click and select "Get Local Admin Password". (remember, must be an admin or helpdesk to do that)
  • spell it out to your CFO (or SMS ?)
  • She can now log in. Catastrophe averted.
  • If you have time, have her start the VPN dialer and reset her A/D account's password, let her log in. no time? let's just use the local administrator account for now.


Where do we go from here ?

We've been using this for a few months now, it really works.
In fact we also plan a self-help service which will send the admin password by SMS to registered phone numbers.

So... what do you think? where have we gone terribly wrong ?!
I hope to share the sources and a bit more details soon.

Comments

  1. KeithMay 22, 2013 at 7:01 AM

    This sounds pretty cool. Would you be able to share the scripts you use to completes this?

    ReplyDelete
  2. catman2June 24, 2013 at 8:50 AM

    Thanks Keith, I can't really share code at the moment. I plan to post some more updates on how this works in a short while.

    ReplyDelete

Post a Comment

Popular posts from this blog

Ansible and aws: adding hosts to known_hosts

Background Ansible uses SSH to control hosts. SSH (by default) expects the user to verify the identity of a server upon initially connecting to it. When connecting to a host for the 1st time, you will be prompted: Are you sure you want to continue connecting (yes/no/[fingerprint])? If you type yes in the above dialog, the host's public key and DNS name are added to a file called known_hosts The problem is that in many cloud environments, the DNS name for an instance is modified at each boot. Ansible, being reliant on SSH to connect to hosts, will fail if the host is not already in the known_hosts file, instead prompting the user to add the host to known_hosts. There are a few ways to solve this. You can instruct ansible to not verify the server's identity - but that defeats the ability of this mechanism to protect you fro...
Read more

Mac OS: Log-foo

TL;DR Display all events since last boot In Terminal: sudo log show --boot --debug | more Display all Kernel events from the last 10 minutes In Terminal: sudo log show --predicate "processID=0" --start "$(date -v-10M "+%Y-%m-%d% %H:%M:%S")" --debug  processid=0 means kernel $date -v-10M means 10 minutes ago
Read more
Get the IP of a hostname using WMI (vbscript) Purpose find the current IP of a given hostname approach: use the wmi win32_pingstatus to issue a ping, and get value of the returnaddress property sample code strTargethost = "server1.domain.com" Set objWMIService = GetObject("winmgmts:\\") Set PingResults = objWMIService.execquery("Select StatusCode,Address,ProtocolAddress FROM Win32_PingStatus where address = '" & strtargethost & "'") For Each oTarget In PingResults if oTarget.Statuscode   = 0 then  wscript.Echo "Host:" & strTargethost & ", address:" & oTarget.ProtocolAddress else wscript.echo "Host:" & strTargethost & ",status: " & oTarget.Statuscode end if Next
Read more