Random Admin Password Unattended Setup

[jfmartel]

Hello all!

First of all, i'd like to say that this board is awesome. It's very interesting to see how much people helps others.

In the context where security is a big priority for sys admin , most of you, i hope, have a different local administrator password. (Don't you?)

Here is my setup scenario:

1) I'd like to be able to generate a random password for the local administrator account

2) Once Windows Has finished to install, on first logon, able to log as "local administrator"

3) Dump the generated password somewhere on my network

Am I dreaming? or Is this possible?

Thank you for your answer!

[TrAvELAr]

I'd say that the possibility of generating and using a random password is a lot greater than the possibility of it dumping the password to a text file.

I know you are thinking of security, but look at it form another angle. Why would you EVER want your admin passwords dumped to a cleartext text file?!?!? If that were case, just imagine how many more systems would be vulnerable to attack.

[jfmartel]

I only need to get this file for retrieving purpose. If it doesnt dump the password somewhere, how i can know this password?

[Martin Zugec]

Agree with Travelar - dont think so it is smart idea...

BTW have a look here: http://blogs.msdn.com/robert_hensing/archi.../10/350344.aspx

Find your security priorities

[prathapml]

jfmartel, what you *CAN* do instead, is do a RIS install (over the network).

And since you have control over the image being sent out to install at the workstation, you can just change the unattend.txt each time before an install (so you can make a mental note of the password or write it down somewhere).

[jfmartel]

Actually, this is what I'm doing. But i want it fully automatic.

What I'm planning to do, is to keep the same password on my RIS image, and at the RunOnceEx command, to change it, and dump it on my network (a secure place) to retrieve it.

All I need is some apps that will generate a password and will dump it on my network...

[sintaxasn]

Hey there - not sure if this is helpful, but what I've done is use a vbscript to do the following:

Set a static multiplication factor

Get the current time

Add the hours, minutes, day month year etc. whatever you want

Generate a random number

Multiply the factor by the total time value and add to the end of the random number

Set the password to this value

Then on the CTRL-ALT-DEL page, I change the heading using this key

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LogonPrompt

to various bits of information, including the time and random number disguised. Further to this, I've created a tool that our helpdesk can use to supply a "one-time" admin password by asking the end user for the info on the C-A-D screen. I've already hardcoded the multiplication factor into the tool, and it basically decrypts these values and provides a usable one time password. This way, no-one knows what the passwords are at any given time without this utility.

It's kindof a basic Challenge/Response system, but the ideas behind it might be what your looking for.

Cheers, Dan

[sintaxasn]

Further to this, you could hide the Multiplication value somewhere in the registry. and before you reboot, or sysprep (or whatever), use another vbscript to read the multiplication value, plus the additional bits of info you've set in the registry - decrypt the password, and set the autologon information.

Again, this will only work once (that's assuming that you run the vbscript to randomise the password on EVERY boot as I do).

Hope this helps!

Dan

[prathapml]

@jfmartel

Take a look:

SET adminpwd=%random%%date%%time%text
net user Administrator %adminpwd%
echo This is the admin password set for the PC - %logonserver%,%computername% >> \\DOMAIN\SERVER\sharename\pwdlog.txt
echo %adminpwd% >> \\DOMAIN\SERVER\sharename\pwdlog.txt

Only problem here is the clear-text dump of password.

I suppose this batch-file is quite self-explanatory. If run in local machine context, it will do what you are asking above. If you need more details, just ask.

As for

2) Once Windows Has finished to install, on first logon, able to log as "local administrator"

This can be done by a winnt.sif setting that lets the local admin log on X number of times automatically at bootup (set it to just once).

Hoping this helps....

[sintaxasn]

As for

QUOTE 

2) Once Windows Has finished to install, on first logon, able to log as "local administrator"

This can be done by a winnt.sif setting that lets the local admin log on X number of times automatically at bootup (set it to just once).

Prathapml - unfortunately if the password is randomised during the CMDLines.TXT phase, then the autologon wont work.

If anyone's interested, I've written a small exe (xAuto.Exe) which will give an additional autologon each time it's run, in a random password environment - provided that the random password is also passed to the exe at the same time that it's changed. It also works in Novell environments (using Novell Client), and if a machine name is being changed during the same reboot. Usage would be as follows:

Set Password=%RANDOM%

Net User Administrator %PASSWORD%

xAuto %PASSWORD%

if you've just changed the machine name (will will become active during the next reboot) you use

xAuto %PASSWORD% /Asset:%NEWNAME%

When you're finished autologging on as many times as you want, you just run xAuto /DEL to clear up some Novell keys (specifically autoticking Workstation Only logon)

Hope someone can find some use for it.

Dan