Tales from the Crypto

         Alun Jones (Security MVP Reconnect) writes about security, cryptography, SSL, PKI, and pretty much anything else that bothers him enough.

October 29, 2006

Changing passwords on a service

Filed under: General Security @ 12:00 am

At work, I'm faced with an interesting task – we're trying to limit the number of people that know high-powered passwords.

[This is an ongoing goal – and we already have many processes in place that achieve this. You'll hear more about this in future.]

The latest investigation of reducing password knowledge centres around service accounts – particularly, one service account that is widespread, and has local administrative access. Not an account we want to have available to everyone, not even to everyone who manages the service!

The goal is, as with other high-powered accounts, to lock the password away, and only reveal it when it's needed to troubleshoot something. Of course, being a password, once you've revealed it to someone, you can't unreveal it.

So you have to change it. Once in the security database, and once on every service instance, so that the service can continue to log on.

But there are hundreds of instances of this service, so the administrators were baulking at the idea of having to enter the password in hundreds of locations.

I didn't like the idea either, but my suggestion was better than that of "set the password once on installation, and hope that nobody abuses their knowledge of the password". It had to be, because we don't allow that around here.

I'll be exploring what I did over the next few days, but here's my start, which may be adequate for many purposes:

C:\> for /f %a in (servers.txt) do sc \\%a config "service-name" password= "new-password"

1 Comment

  1.   Scotty — November 3, 2006 @ 8:46 am    Reply

    Have you looked at passgen.exe from Jesper and Steve's book which would let you set a different password per machine (great for machines in different pools of risk) as well as making sure it was complex. Good tool.

RSS feed for comments on this post. TrackBack URI

Leave a comment

© 2017 Tales from the Crypto   Provided by WPMU DEV -The WordPress Experts   Hosted by Microsoft MVPs