Tales from the Crypto

         Alun Jones (Security MVP Reconnect) writes about security, cryptography, SSL, PKI, and pretty much anything else that bothers him enough.

November 3, 2006

Changing passwords on a service, part 2

Filed under: General Security @ 9:11 am

In a comment to my earlier article, Scotty (a friend of mine from the mother country) asks:

Have you looked at passgen.exe from Jesper and Steve's book which would let you set a different password per machine (great for machines in different pools of risk) as well as making sure it was complex. Good tool.

Curiously enough, that's more or less the same question that Jesper asked me when he called while I was working through this problem.

Jesper's a good friend, and I'd hate to tell him that I loaned his book out to a colleague shortly after I bought it, and that I had completely forgot about the passgen utility. Fortunately, I didn't have to, because as it turns out, there are a few things passgen doesn't do that I need, and perhaps a few that it does that I don't need.

  1. The passwords in question are for a service that runs on multiple disparate machines, but all using the same domain account. They can't be random, they must be the same across all those machines (okay, so I don't have to use the -g option).
  2. Because these services access network resources using NTLM – which uses a hash of the password to identify the account – the services must be restarted after the password is changed. Stopping and starting them in sequence across a hundred servers would be far less efficient than doing so in parallel (but could be reasonably done).

But we're starting to get into a long batch file, and generally those are not so easy to debug. It's time to head to script.

Because I'm scripting, rather than using the command line or a batch file, I can afford to add a couple of behaviours, too:

  • Log errors to a file, or to screen, depending on whether you choose to redirect.
  • Automatically enumerate all services that use an account on each named server.
  • Prompt for the password without echoing it.
  • Wait for all services to stop before re-starting them (to avoid dependency issues).
  • Learn how to use WMI in script.

[That last point – learning how to do something you've never done before – is a powerful reason in itself to do something yourself even when there's a tool already available. Otherwise, use the tools that others provide, wherever possible.]

The attached script, svcpwchange.vbs, is what I have produced after a week's playing around. Let me know what you think.

As with the advisories in Jesper's Passgen tool, the stop and restart won't work properly for services that run in a shared process. The tool also won't restart services that are dependent on the service whose password you are changing – unless they use the same password. One other thing that passgen does that my script doesn't, is to actually change the password on the account itself – you'll need to do that before you run this script! [Exercise for the reader – add the code to set the password.]


  1.   Scotty — November 3, 2006 @ 1:01 pm    Reply

    Opens, copies, starts Primal Script and paste. >400 lines returns to making pizza and for a quieter point in the day when two year old has been fed. Looks interesting from a quick once over.

  2.   Scottty — November 8, 2006 @ 9:07 am    Reply

    Seems to work fine in some testing I did on a test domain but then I expected it to work.

    Only code comment I would make is that I am not sure all the error trapping is catching all the errors it may be intended to.

    Generally I would have headed toward an Express version of Visual Studio for VB.NET or C# due to the far better error trapping and better dev environment and the free price cannot be argued either.

    Don’t get me wrong I think VBScript has been a very useful tool and JavaScript is just to painful for most ‘basic’ programmers to get to grips with. But error trapping is plain awful in VB or VBScript.

    In future PowerShell will I think be the automatic format for any script like this because of the power and reach it will have as well as industry support (wait for the launch event for some good surprises).

  3.   alunj — November 8, 2006 @ 9:53 am    Reply

    Funny you should mention that it would be better written in C++, C# or even VB.NET… I plan to do just that when I get a little time.

RSS feed for comments on this post. TrackBack URI

Leave a comment

© 2017 Tales from the Crypto   Provided by WPMU DEV -The WordPress Experts   Hosted by Microsoft MVPs