RE: admin account password management

["Jeff Gercken" <JeffG () kizan com>]

1) Generate password list w/ psudo random generator. (I use apg
http://www.adel.nursat.kz/apg/)

wapg.exe -n 10000 -M SNCL > 10KrandPass.txt

2) Use cusrmgr.exe (Windows 2K resource kit) to change the passwords on
the machines remotely.  

Use a spreadsheet to map a password to each server.  Example in csv for
easy loading but in final replace commas with spaces

Cursrmgr.exe -u administrator -m,"computer name",-P "pass"

Save the password - machine list in a secure place, like taped to your
monitor.

-jeff

-----Original Message-----
From: Lars Weste [mailto:lweste () gmx de] 
Sent: Monday, February 07, 2005 11:54 PM
To: security-basics () securityfocus com
Subject: admin account password management

Hi,  
   
 developing a password policy i'm wondering of which rules you have to  
 secure admin level accounts on a bunch of client hosts and other 
hardware  
 like switches or disk storages. more or less i came across three  
 solutions:  
 1. define classes of admin level accounts for devices and client hosts

 depending on their security. define a password for every class and use

 that password at any device in that class.  
 2. define classes of admin level accounts for devices and client hosts

 and define one or more password generation rules depending on the 
classes  
 of the account and generate different passwords for each device 
according  
 the rules at each class of device.  
 3. define for any admin account at any device and client host an  
 independent and strong password.  
   
 just only looking at the passwords, point 3, independent ones seems
most  
 secure, but also most cumbersome to the administrator.  
   
 so just wondering whether someone can share some practical experiences?

   
 regards  
 lars  

-- 
Lassen Sie Ihren Gedanken freien Lauf... z.B. per FreeSMS
GMX bietet bis zu 100 FreeSMS/Monat: http://www.gmx.net/de/go/mail