Hello,
I was wondering if we can use BigFix to identify through a query, analysis if the Local Administrator account has no set password.
Some computers of our environment are “suffering” with this problem, so we want to use it to see if bigfix can query these computers and know if the password is null, void or not set at all.
Do any of you know if BigFix has this capability?
You can use the “user” inspector (presuming you mean for Windows OS. Bear in mind the local admin account can be renamed and a different account , which is actually good practise from the security perspective, and a new local account created with “Administrator” as the name so to check only the built in account, that always had a SID that end it “-500”.
Q: (sid of it, no password required flag of it, account disabled flag of it) of users of sids whose (component string of it ends with "-500") of local users
A: TestWks1\Administrator, False, False
In the debugger you can introspect the various properties that may be of interest
Q: properties of type "user"
A: logged on user of <user>: logged on user
A: sid of <user>: security identifier
A: name of <user>: string
A: active directory user of <user>: active directory local user
A: password age of <user>: time interval
A: guest privilege of <user>: boolean
A: user privilege of <user>: boolean
A: admin privilege of <user>: boolean
A: home directory of <user>: string
A: home directory folder of <user>: folder
A: comment of <user>: string
A: script flag of <user>: boolean
A: account disabled flag of <user>: boolean
A: home directory required flag of <user>: boolean
A: no password required flag of <user>: boolean
A: password change disabled flag of <user>: boolean
A: locked out flag of <user>: boolean
A: password expiration disabled flag of <user>: boolean
A: normal account flag of <user>: boolean
A: temporary duplicate account flag of <user>: boolean
A: workstation trust account flag of <user>: boolean
A: server trust account flag of <user>: boolean
A: interdomain trust account flag of <user>: boolean
A: logon script of <user>: string
A: print operator flag of <user>: boolean
A: communications operator flag of <user>: boolean
A: server operator flag of <user>: boolean
A: accounts operator flag of <user>: boolean
A: full name of <user>: string
A: user comment of <user>: string
A: application parameter string of <user>: string
A: allowed workstations string of <user>: string
A: last logon of <user>: time
A: last logoff of <user>: time
A: account expiration of <user>: time
A: maximum storage of <user>: integer
A: bad password count of <user>: integer
A: logon count of <user>: integer
A: logon server of <user>: string
A: country code of <user>: integer
A: code page of <user>: integer
A: id of <user>: integer
A: user id of <user>: integer
A: primary group id of <user>: integer
A: profile folder of <user>: string
A: home directory drive of <user>: string
A: password expired of <user>: boolean
A: domain of <user>: string
A: winrt packages of <user>: winrt package
T: 0.406 ms
I: plural propertyWell, this query does return something, but I’m not sure as to what exactly it is returning, for example: I tested on my computer and apparently it seems to work.
Then I made it into an analysis to check all of our servers, then one of our services returned the following resuklt:
q: (sid of it, no password required flag of it, account disabled flag of it) of users of sids whose (component string of it ends with "-500") of local users
A: HOSTNAME\Administrador, True, False
which I understood as “that computer doesn’t have any password set”, and somehow it was true, I went there, and the password was expired. I changed the password, went to lunch and when I return it was giving me the same result. I set the analysis for now to evaluate every report, so I guess it should be returning “false” by now.
In addition to that, I failed to create a relevance to an analysis that will return visual results, such as if password required flag of it = true then “Password is not set” else “Password set” and so on.
Indeed, it is close to what we need, but I am struggling to know if the property is retrieving what I thought it would.
The “Password Not Required” flag is described a bit at https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/useraccountcontrol-manipulate-account-properties
In short, the “PASSWD_NOTREQD” flag means the account is not required to have a password. This is displayed in the ‘Password Required’ field of the ‘NET USER administrator’ output as well:
C:\>net user administrator
User name Administrator
Full Name
Comment Built-in account for administering the computer/domain
User's comment
Country/region code 000 (System Default)
Account active No
Account expires Never
Password last set 1/23/2024 10:42:10 AM
Password expires Never
Password changeable 1/24/2024 10:42:10 AM
Password required Yes
User may change password Yes
Workstations allowed All
Logon script
User profile
Home directory
Last logon 12/10/2023 9:03:47 PM
Logon hours allowed All
Local Group Memberships *Administrators
Global Group memberships *None
The command completed successfully.
That doesn’t mean that the account’s password is empty, but that it’s possible for the account’s password to be empty.
As far as I know, there is not a native Windows API that allows displaying whether a password is actually set on the account. If you locate a PowerShell or some other script to check, we can help you with how to execute that in BigFix and retrieve the results, but I don’t think we have a native inspector for it.
I was thinking of creating a task that will run an action script or PowerShell and then try to authenticate in the computer using the built-in admin account with null password and if it successfully log in, then it creates a txt file one a persistent drive with the name of the computer it successfully authenticated.
Would this work? Can BigFix do it through action script?
Do you have a script or command line in mind? The ‘runas’ command will not accept the password as a command-line input.
@JasonWalker I got it working with the following script in powershell:
Add-Type @"
using System;
using System.Runtime.InteropServices;
public class Win32 {
[DllImport("advapi32.dll", SetLastError = true)]
public static extern bool LogonUser(string lpszUsername, string lpszDomain, string lpszPassword, int dwLogonType, int dwLogonProvider, out IntPtr phToken);
}
"@
# Define the suffix of the SID for built-in administrator accounts
$adminSuffix = "-500"
# Get the list of local users
$localUsers = Get-WmiObject Win32_UserAccount | Where-Object {$_.LocalAccount -eq $true}
# Get the computer name
$computerName = $env:COMPUTERNAME
# Create a directory for storing output files if it doesn't exist
$outputDirectory = "\\BESLAB\Temp"
if (-not (Test-Path $outputDirectory)) {
New-Item -Path $outputDirectory -ItemType Directory | Out-Null
}
# Create a file name based on the computer name
$outputFile = "$outputDirectory\$computerName.txt"
# Check each local user for built-in admin accounts
foreach ($user in $localUsers) {
if ($user.SID.EndsWith($adminSuffix)) {
$adminUsername = $user.Name
Write-Host "Attempting login to $adminUsername (SID: $($user.SID))..."
# Try to login using the admin account
$loggedOn = $false
try {
$password = "null" # Replace with the actual password
$domain = $env:COMPUTERNAME
$token = [IntPtr]::Zero
$result = [Win32]::LogonUser($adminUsername, $domain, $password, 2, 0, [ref]$token)
if ($result) {
$loggedOn = $true
Write-Host "Success: Password matches for $adminUsername"
} else {
throw "Failed: Password does not match for $adminUsername"
}
} catch {
Write-Host $_.Exception.Message
}
# If successfully logged in, create a text file with the computer name
if ($loggedOn) {
Out-File -FilePath $outputFile -InputObject "Successfully logged in as $adminUsername (SID: $($user.SID))" -Encoding utf8
break
}
}
}
# If no built-in admin account was found or unable to login
if (-not $loggedOn) {
Write-Host "No built-in admin account found or unable to login."
}
Then it creates a folder with the HOSTNAME and it writes that it successfully logged, if not, it just displays me a message.
I don’t know if I can actually reproduce it using action script.