RE: Changing local admin PW using vb logon script - can it be encrypted?

I'd have to agree that putting plaintext passwords in a script is bad practice. 
Personally, I'd create a registry entry to hold the password, set the 
permissions on the registry entry where only the local account has read/write 
access and pull the password from the registry using the script... Granted, 
that doesn't scale very well if you're running the script from different 
machines? 

Dim WshShell, PassWord
Set WshShell = CreateObject("WSCript.Shell")
PassWord = WshShell.RegRead("HKLM\SOFTWARE\SPECIALAPPS\BackupPass")

If you really want to get carried away encrypt the password in the registry, 
but the code to decrypt must be added to the script. Three lines of code takes 
the password out of the script where it cannot be "casually" viewed.

Howard

-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@hammerofgod.com] 
Sent: Sunday, December 04, 2005 02:43
To: Jim Harrison (ISA); Info; tth8@cornell.edu; focus-ms@securityfocus.com
Subject: Re: Changing local admin PW using vb logon script - can it be 
encrypted?

Yes, but decoding encoded scripts is trivial.  The fact that a vb/jscript 
can be encoded should not have any bearing whatsoever on ones decision to 
publish sensitive information in a logon script.

t

-----
"And yet, even if one person finds his way... that means
there is a Way.  Even if I personally fail to reach it."

Mr. Nobusuke Tagomi
Top Place, Ranking Imperial Trade Mission
Pacific States of America

----- Original Message ----- 
From: "Jim Harrison (ISA)" <Jim.Harrison@microsoft.com>
To: "Thor (Hammer of God)" <thor@hammerofgod.com>; "Info" <Info@hbdk.de>; 
<tth8@cornell.edu>; <focus-ms@securityfocus.com>
Sent: Saturday, December 03, 2005 11:26 PM
Subject: RE: Changing local admin PW using vb logon script - can it be 
encrypted?


True, but vb/jscripts can also be encoded.
While this is far from perfect, it'll keep Jo(sephin)e User from reading 
anything within.
Note that this is also the technique used by one of the first script worms 
"ILoveYou" to "obfuscate" itself.

Jim Harrison
Security Platform Group (ISA SE)
If We Can't Fix It - It Ain't Broke!

-----Original Message-----
From: Thor (Hammer of God) [mailto:thor@hammerofgod.com]
Sent: Thursday, December 01, 2005 2:02 PM
To: Info; tth8@cornell.edu; focus-ms@securityfocus.com
Subject: Re: Changing local admin PW using vb logon script - can it be 
encrypted?

One should also note that any login script in sysvol is, by default,
readable by all authenticated users.  All anyone has to do is browse to
\\domain.com\sysvol\domain.com\scripts and they can just open up the vbs
file.  Not a very good place to put "secret" information.

t

-----
"And yet, even if one person finds his way... that means
there is a Way.  Even if I personally fail to reach it."

Mr. Nobusuke Tagomi
Top Place, Ranking Imperial Trade Mission
Pacific States of America




----- Original Message ----- 
From: "Info" <Info@hbdk.de>
To: <tth8@cornell.edu>; <focus-ms@securityfocus.com>
Sent: Thursday, December 01, 2005 9:32 AM
Subject: AW: Changing local admin PW using vb logon script - can it be
encrypted?


Hi Tom,
3 possible options out of the mind:

- Use GPO setting for a default admin pwd => Hashed PW will be transmitted
by applying the pw (not really save, but better than
cleartext)
- Use SMB-Signing  for Client/Server requests/replies => secured
transmission of logon events (cleartext, but secured in a signed
transport layer)
- Use IPSec for network traffic => best solution ever for secure
transmission of IP-Traffic but most efforts for rollout & running
an enviroment

Hope it helped ;)

Andreas Habedank
----------------
HBDK.DE - IT-Security Management & Consulting - Ledersberg 3 - D-83727
Schliersee
Mile2.com CPTS Instructor / CEH / MCSE / RSA SecurID SE

-----Ursprüngliche Nachricht-----
Von: tth8@cornell.edu [mailto:tth8@cornell.edu]
Gesendet: Donnerstag, 1. Dezember 2005 18:03
An: focus-ms@securityfocus.com
Betreff: Changing local admin PW using vb logon script - can it be
encrypted?

Hi all,

Long time lurker, first time poster.  We have roughly 500 computers that
we'd like to change the local admin passwords on.  We
realize the security risks of having 1 password on all of our computers and
are willing to assume that risk.  We've developed a VB
script that we can implement as a logon script that works perfectly to
change the password.  We do not want this script sent along
as clear text if we can avoid it.  Is there any way we can encrypt this
script?

We've looked at options such as using Windows permissions to either deny
Domain Users access (preventing anyone from reading the
script) or allowing only Domain Computers Read Only access.however I think
that if you are logged into a local computer you should
be able to read the script.  Not to mention, if you could capture the
packets, you could easily find the script and its contents so
permissions would matter at all in that scenario.

Any help and/or insight is greatly appreciated.

Best,
.tom

---------------------------------------------------------------------------
---------------------------------------------------------------------------



---------------------------------------------------------------------------
---------------------------------------------------------------------------




---------------------------------------------------------------------------
---------------------------------------------------------------------------




---------------------------------------------------------------------------
---------------------------------------------------------------------------