Doing things as users

[jeff.sadowski]

As the administrator I get asked if I can set the away message for someone that is on vacation. We have 2 admins and the other guy memorizes most the passwords. My memory sucks and he doesn't know all of them. I am in the mist of re-devising(I seem to recall someone else mentioning it) a method to do these things(setting away message, logging on as them, ...) without knowing their password.

Well as any admin knows you could just set the password and login as them and thats that. but then they will need to reset their password and/or you will need to tell them the new password.

I have a different way. I suspect that the password is stored in a hash(or remember someone telling me it is) in a registry somewhere I'm guessing since the sysvol is the part of active directory that one of the files in there contains this password hash and I'm betting it can be modified with a tool like the one I use in linux to set a computers password called chntpw(it exists for windows as well you don't need linux to use this). Anyways with this tool I should be able to save the current password hash. Then I can use the regular windows tools to change the password, and do what I need to as that user. Then when I am done I should be able to use the chntpw tool again to reset the old hash back. I havn't tried this yet and I would try it on a test domain that I can setup on a vmware network but I was wondering if there wasn't something out there like this already?

I think it sounds like an interesting experiment. It will take me a few months maybe years before I have the time to experiment with it. But if someone else needs an idea I present mine ;-)

It would be nice to have an "su" in windows.

[nmX.Memnoch]

I have a better idea...

Train the users to remember to set their own away messages before they leave.

We have a policy that we WILL NOT (and actually in our environment, legally can not) do this for a user.

[jeff.sadowski]

I have a better idea...

Train the users to remember to set their own away messages before they leave.

We have a policy that we WILL NOT (and actually in our environment, legally can not) do this for a user.

It would be nice to live in a perfect world but remember we do not. Anyways I think I thought of a simpliler solution. copy the old files change the password and copy the files back. Just make sure you do it when no one else is changing their password.

Relying on others is a good way to gain trust but sometimes you need a backup plan.

[jeff.sadowski]

Oh also to mention better security policies. Files of importance should be encrypted using passwords that are kept in safes. And important email should use something like pgp. Remember otherwise your message is sent clear text across the internet. Anyone that really wants to read your message is going to be able to some how someway. Hackers will stop at nothing if they really want something. Maybe you should revisit your security policies and update them. Illegal doesn't stop a criminal only someone that wishes not to break the law. Locks are to keep an honest man honest. A more devious way would be to use john the ripper and or other cracking software but that blows away my premise I don't want to know or ever know the users password.

[nmX.Memnoch]

They're not my policies. I work for the US Air Force.

Doing anything as another use is illegal. It's also unethical. Not to mention that it's about to become largely impossible since we are moving to SmartCard logon...no more passwords. You have to physically have the SmartCard and their PIN to logon as that user.

The fact that you and your coworker have your users' passwords, memorized no less, is completely wrong. You're an admin...why do you need their password(s)? I assume that you're running Exchange for the email. Why can't you just use Exchange Admin to set the OOA for a given mailbox? For that matter...they can set it themselves if you have OWA running.

Remember the SmartCards I mentioned? No need for PGP with those either...digital signature and encrypted email using a certificate on the card.

[InTheWayBoy]

I wish I could offer more suggestions but the only thing I have to say is look into scripting, lots of common admin tasks can be scripted and run as under the user you want instead of your account or an administrator account.

But seriously, knowing anyone's password is not recommended. Something bad happens, things get sticky because it could have been anyone who knew said password. And if you get into things like HIPAA and government policies it's impossible to rely on a system built around knowing a users passwords.

[jeff.sadowski]

Do not rely on Authentication to protect your data. Authentication is mute. Seems the government needs major introduction to security. Unless you encrypt files then any admin can obtain ownership of that file and do what they please with it. This is not a question of ethics. Duh it is wrong, but can it be done? yes. Using ethics and laws to protect is trusting in something that is bound to fail. Too many things go unnoticed. Sorry my data is more important to me. I think someone needs to update HIPAA. I'm pretty sure I remember them requiring you to send encrypted email in HIPAA and I remember parts of it. I've dealt with it with a few clients. If they use the smart card to establish an encryption of files it becomes better. But you need an Admin+supervisor way to retrieve important data if the user dies and the card is lost or destroyed. Again relying on that the card is never destroyed is placing trust that Murphy will not cross the line drawn in the sand.

[jeff.sadowski]

Why can't you just use Exchange Admin to set the OOA for a given mailbox? For that matter...they can set it themselves if you have OWA running.

Remember the SmartCards I mentioned? No need for PGP with those either...digital signature and encrypted email using a certificate on the card.

I don't see the option in the Exchange System Manager if someone knows where it is I'd be glad to know. I use OWA if I were away I'd use it but others don't want to even think about work when they are away. If I can find the first option that would solve 80% of the issues. Scripting could probably solve the rest. But some stupid apps need to be done as the user and time is waisted when the user is away and the app needs things done to it.

And about the encrypted email: what library do they use to encrypt the email? I don't trust all forms of encryption some are too easily breakable and or not recoverable.

Encryption is only good if the intended audience can get access to the data. I don't know about you but I deal with multiple platforms(and MS stuff breaks too many times and I need another method of recovery) and if the security method is unknown or undocumented then there is no reason to trust it. As long as you can plug the right keys in you should be able to decrypt the data. Makes me curious if you ever thought about a block level copy of your security key. Do they keep a copy when they issue you one? Who is trusted with issuing them? This is the same as trusting admins with passwords. I see no difference conceptually. If it is just a smartcard it is a simple harddrive.

Anyways does it also automatically encrypt files, that would be nice you could setup scripts to do so.

Microsoft seems to be getting better at program design but that doesn't make all the other companies that write apps any better. And open methods such as ssl and pgp have gone through much scrutiny and are tested with math and reasoning in their design. I'd never trust a method that relies on obscurity.

[nmX.Memnoch]

In your environment you have absolutely NO accountability. A user can just say "Well the admins know my password, they must've done it" and there's nothing you can say to refute that.

Encryption is something to use on top of a properly secured network.

[jeff.sadowski]

Other info about keys putty and winscp can use pagent to allow authentication via key. A key should always have a password and fingerprints are not good. When you touch anything you leave one eek. MS fingerprint readers can be fooled with I think it was a jelly belly with the carved in fingerprint taken elsewhere on the computer.

mmmm jelly bellys :-P

[jeff.sadowski]

In your environment you have absolutely NO accountability. A user can just say "Well the admins know my password, they must've done it" and there's nothing you can say to refute that.

Encryption is something to use on top of a properly secured network.

I don't know passwords my coworker does. That is why I started this thread is because I do not. All important programs have their own passwords that differ from the user account password. There is plenty of accountability.

Backups are accountable, and locked off sight encrypted and locked up by a separate company.

Maybe I didn't make my self clear about my questions what happens when someone dies or is fired at your company. What procedures are in place to retrieve that persons work?

What happens when the security disk gets destroyed how do you get the info back?

Do you not? If not then your worse off than me.

We have 2 people that know important passwords and its not us system admins we are in charge of keeping the files intact so that their encryption techniques work.

They use proprietary encryption that I recommend against because I don't like being locked into vendors. But they work. They also have the passwords stored in a vault.

And we have procedures in place in case of any accident. Not knowing what to do when something goes wrong would totally suck. But I guess that is what keeps me in business. We get called for many such incidents. I have capabilities of recovering most stuff but some encrypted stuff is next to impossible (and highly costly in time, sometime super computers working many years trying to crack(very costly), I've never done this just read about it I'd turn down a customer because I don't have the resources) to get back if you don't have any way of retrieving the password. There is always options sometimes the options are too costly to use. Many companies go out of business because of poorly implemented security policies.

[jeff.sadowski]

Also you didn't follow up on how to use exchange admin to set the out of office?

[jeff.sadowski]

Yes my business's policies are very liberal. I would like to raise the level of security. We have too many users that have network admin accounts because of programs needing too many permissions. There are too many programs that are poorly designed that my sales people use I can only suggest against it. What can one person do against so many that have such a lack of security.

[cluberti]

There are too many programs that are poorly designed that my sales people use I can only suggest against it. What can one person do against so many that have such a lack of security.

This would be a good business justification for terminal servers running Citrix, publishing said applications - the apps run as admins on the server, but the user can only interact with the redirected application running on their (non-admin, low-rights-user) machine, and can theoretically not screw up their machine or the TS they have high rights to (because they can only run the app on their workstation, and cannot actually log into the TS to get a full desktop). Just a thought .

[nmX.Memnoch]

Also you didn't follow up on how to use exchange admin to set the out of office?

From the other thread you have going:

Admittedly I'm not an Exchange Server Admin...

In other words, it may not even be possible. Again, my suggestion would be that either they set it before they leave, set it through OWA or not have it set at all.

Yes my business's policies are very liberal. I would like to raise the level of security. We have too many users that have network admin accounts because of programs needing too many permissions. There are too many programs that are poorly designed that my sales people use I can only suggest against it. What can one person do against so many that have such a lack of security.

For starters, the application probably doesn't "require" admin privs to work properly. With a little work you can find the areas of the system that the application needs access to. Then give 'Users' the minimum level of access required for the application to work. There are an astonishing number of applications that claim to require admin privs to work when they simply need write access into a directory that 'Users' only have read access to by default. This is the application developer's fault, not Windows. Most times the access is only required for temp files (which should've been coded to write to %TEMP%) or for configuration files (which should've gone to %APPDATA%). We've had to do this with several of our applications. The Administrators group on all of our workstations is locked down through a GPO.

What can one person do? Make yourself known. The security of the network is your job. If there's a security related incident, who do they come to or point fingers at? You. Take some time with those applications. Run FileMon, RegMon or just full on Process Mon. Use those utilities to find out where the application requires privileges. Make a few changes on a test workstation and then try running the application in the 'User' context instead of 'Admin' context. When you get it right, make a GPO that enforces the security permissions for the locations the application needs (that way you don't have to go to each workstation to make the change).

Yes, it takes some extra work but you'll have a more secure environment. The users will initially be mad but they'll get used to it. And I guarantee that any problems you're having with them installing unauthorized applications (WebShots anyone?) will stop.