Changing passwords on a service, part 2 – Tales from the Crypto

Changing passwords on a service, part 2

In a comment to my earlier article, Scotty (a friend of mine from the mother country) asks:

Have you looked at passgen.exe from Jesper and Steve's book which would let you set a different password per machine (great for machines in different pools of risk) as well as making sure it was complex. Good tool.

Curiously enough, that's more or less the same question that Jesper asked me when he called while I was working through this problem.

Jesper's a good friend, and I'd hate to tell him that I loaned his book out to a colleague shortly after I bought it, and that I had completely forgot about the passgen utility. Fortunately, I didn't have to, because as it turns out, there are a few things passgen doesn't do that I need, and perhaps a few that it does that I don't need.

  1. The passwords in question are for a service that runs on multiple disparate machines, but all using the same domain account. They can't be random, they must be the same across all those machines (okay, so I don't have to use the -g option).
  2. Because these services access network resources using NTLM – which uses a hash of the password to identify the account – the services must be restarted after the password is changed. Stopping and starting them in sequence across a hundred servers would be far less efficient than doing so in parallel (but could be reasonably done).

But we're starting to get into a long batch file, and generally those are not so easy to debug. It's time to head to script.

Because I'm scripting, rather than using the command line or a batch file, I can afford to add a couple of behaviours, too:

  • Log errors to a file, or to screen, depending on whether you choose to redirect.
  • Automatically enumerate all services that use an account on each named server.
  • Prompt for the password without echoing it.
  • Wait for all services to stop before re-starting them (to avoid dependency issues).
  • Learn how to use WMI in script.

[That last point – learning how to do something you've never done before – is a powerful reason in itself to do something yourself even when there's a tool already available. Otherwise, use the tools that others provide, wherever possible.]

The attached script, svcpwchange.vbs, is what I have produced after a week's playing around. Let me know what you think.

As with the advisories in Jesper's Passgen tool, the stop and restart won't work properly for services that run in a shared process. The tool also won't restart services that are dependent on the service whose password you are changing – unless they use the same password. One other thing that passgen does that my script doesn't, is to actually change the password on the account itself – you'll need to do that before you run this script! [Exercise for the reader – add the code to set the password.]

3 Responses to Changing passwords on a service, part 2

Leave a Reply

Your email address will not be published. Required fields are marked *