how insecure is this...

hellarda · 28 Mar 2012 at 19:26

Hi guys,

Just had a quick thought after seeing something...

Say a school of around 1200 people total (including staff/pupils) had an IT system consisting of around 800 computers all on an AD domain and managed in the school. Everyone would have their own logons with password policies etc. There would need to be a way to manage all the computers/servers.

Say that a user was setup lets use the example of the username 'master', that had local admin rights to all the standalone computers, using a basic password so that any config/installs that need doing can be done on the clients easily. thats all fine.

But then say this same 'master' user account with its basic password, also had network admin rights/access to all servers/full access to all data onshared drives/all storage on the network, would this be bad?/a bad set up to have?

just wondering....

TheJackal · 28 Mar 2012 at 19:30

Depends who knows that password and whether you are responsible for it.

Uhtred · 28 Mar 2012 at 21:26

what does 'basic' password mean exactly? Less than 8 characters?

martynbez · 28 Mar 2012 at 21:30

Worked in a school for a while and it only takes a kid looking over you shoulder and they know the password. Best to have a local admin login and a different admin one for servers.

mraerosmith1981 · 28 Mar 2012 at 21:47

A local admin login is fine , as long as its a complex PW and is rotated regular, but defo keep a different account for any server admin/access

Ev0 · 28 Mar 2012 at 21:49

It's not great as there's no accountability there, better off giving people who need to perform admin tasks a separate named admin account to use just for those tasks.

If that account does do something 'bad' on the network you can't easily determine who it was.

There is no need for a generic account in this instance imho, it's bad practice and just lazy.

If all machines are on the AD domain then just add a group to all the local admins groups on all the machines and then you stick people in and out of that AD group as needed.

As said there's nothing wrong with having a local admin account, as long as it's just that and doesn't have other perms and password is complex etc.

If it's a weak password then if someone know's what they are doing could easily be gotten, depending on the intelligence and rights of the users

tribz · 28 Mar 2012 at 22:20

hellarda said:
Say a school of around 1200 people total (including staff/pupils) had an IT system consisting of around 800 computers all on an AD domain and managed in the school.

Schools have 800 computers now? We just had a Commodore Pet!

hellarda · 28 Mar 2012 at 23:30

Yeh basic password talking less than 8 characters all lower case letters.

Well that's what I have always thought, using a local admin account with no network admin rights is fine but having the same account with said weak password for everything and not changing it for say over a year... Can't be good :confused:

And as martynbez said easy for someone with a little now how to be looking over the shoulder and they have access to everything on the school network... Or even worse, someone with not much now how who decides to fiddle with things...

olibb · 29 Mar 2012 at 09:08

We had a similar issue when I was in school. Some kid knew the admin password from looking over the IT guy's shoulder. Little blighter caused chaos!

HecFam · 29 Mar 2012 at 09:10

Unless you reset the password every month or whatever so that if Some kids do get hold of the password they won't have it for long.

Just try not to set it to "password" and expect no one to get into it.

TheFool · 29 Mar 2012 at 22:32

When I was in school a friend of mine got hold of the admin password and it wasnt changed for 5 years . . . a little stupid, they only changed it when it became general knowledge and someone screwed up a few of the computers.

The password was wizard

two00lbwaster · 1 Apr 2012 at 10:44

Not good policy, but some admins are lazy, or don't seem to care. Other than that they will have capitulated to non-technical people who wanted an easy to remember master account.

I laughed at the comments regarding complex passwords on local user accounts.

I have used the local account password reset CD on a couple of machines recently for local accounts for which I no longer had the passwords for. I just set them as a blank password and logged in. Also, you might not know that there is a local admin account on a machine, but once logged in with a password reset disk you'll know exactly what local accounts are on the machine.

The funny thing is that you can do this to AD domain controllers too if you have physical access to them and can reboot them at will.

J.B · 1 Apr 2012 at 17:48

two00lbwaster said:
Not good policy, but some admins are lazy, or don't seem to care. Other than that they will have capitulated to non-technical people who wanted an easy to remember master account.

I laughed at the comments regarding complex passwords on local user accounts.

I have used the local account password reset CD on a couple of machines recently for local accounts for which I no longer had the passwords for. I just set them as a blank password and logged in. Also, you might not know that there is a local admin account on a machine, but once logged in with a password reset disk you'll know exactly what local accounts are on the machine.

The funny thing is that you can do this to AD domain controllers too if you have physical access to them and can reboot them at will.

Well there are steps that help reduce the risk although there is no golden bullet. Password protect the BIOS and set to boot from HDD first (now stuck with a fixed BIOS pw in the same way as a local admin!) disable LanMan hashing, rename the local administrator account.

Its a tricky one but the best option is to just have separate accounts for different purposes. Also be sure to not cache AD logins (especially if you are using LM hash) so the admin creds aren't stored on the machine. This is a common trick we use when on site.

Oh and here is an anecdote about different roles. I found a .ISO file on an SMB share called boot.iso, I thought what the hell, probably UBCD or some recovery disc etc. Turned out to be their SCCM boot CD. Cool, boot up a VM and see what's on the default build, nothing interesting. Played around and discovered a little trick by disrupting the install process at a certain point sysprep doesn't complete the cleaning up process on first boot. Mounted the virtual hard drive and found sysprep.inf on the C drive. This contains an admin account that needs the privileges to add a machine to AD. This account was just a full on domain admin

we have a little joke at work that when you have domain admin you can clock off early

Ev0 · 1 Apr 2012 at 18:55

Cached creds was one thing I used to like going after as well, nice and easy

Makes me miss that work a little bit thinking of all the little things like that, aw well.

NDJ88 · 1 Apr 2012 at 19:13

When I was at college I used VB to write a fullscreen app that looked perfectly like the logon screen.

When you put in some credentials, a useless error message pops up, and the credentials are written to a text file.

I logged in as myself, launched the app, and went phishing! One call to the helpdesk, and I got a domain admin account (admin tried to 'login', failed, then rebooted).

My friends and I had great fun with that!

J.B · 1 Apr 2012 at 19:23

Ev0 said:
Makes me miss that work a little bit thinking of all the little things like that, aw well.

Just focus on all the negatives!

Im thinking it might be time to progress the career a little to be honest.

Ev0 · 1 Apr 2012 at 19:37

True, might not be as much fun but moving on can help the career no end, I start as an info sec manager/consultant at a rather large company in a few weeks

Had a bit of a whirlwind 12 months in the industry ending up there.

Must be plenty of opportunity in an organisation like yours, but I digress