Change Local User Password

hmsiegel · August 18, 2020, 7:01pm

I’m not sure if this is even possible, but I figured I would ask anyway:

At my organization, we use a “formula” for local admin passwords on the devices that I manage. I have a powershell script and fixlet that I have created to change the password based on that formula. Unfortunately, occasionally the passwords will get reset to the default password, either by the support desk (because they have forgotten the formula) or because the device is replaced.
What I would like to do is set up a policy to make sure that the password is always up to date to the latest formula. Typically this formula is: secret word+IP Address of device+A specific environment variable. The secret word changes on a quarterly basis, and would live in a text file on each device (converted to a secure string).
What I’m having trouble with is the relevance to determine when to run the fixlet. Was wondering if anyone had any ideas on how I could accomplish this, or if it is even possible.

Thanks

JasonWalker · August 18, 2020, 7:06pm

I think you’d just have to periodically re-run your task to set the password. We don’t have inspectors that would decrypt the administrator password to see if it’s what you expect…

hmsiegel · August 18, 2020, 7:15pm

Yeah, that’s what I figured. Is there even a way to read the administrator password? Even if it is encrypted? I was trying to find a different way to do it, and couldn’t come up with anything.

JasonWalker · August 18, 2020, 8:08pm

There are ways to do it, and even to decrypt it, that I used in a former life. But that’s all far outside of BigFix.

In any case, the encrypted passwords wouldn’t help you, the hashes would be unique on each system anyway.

What might be effective in your case is to set up a policy action to reapply your expected password (weekly, daily, etc.)

In any case, I just have to say that what you’re doing wouldn’t pass security muster any place I’ve worked, and suggest you look into something like LAPS (Local Administrator Password Solution) from MS, which should already be available in Active Directory, or if you wish to go third-party there are a number of password management solutions available. The term is Privileged Access Management should you wish to search on it.

brolly33 · August 19, 2020, 6:56pm

On Windows there is an inspector to get the time of the last password change.
And since you did not say “root”, I am going to guess Windows only.

https://developer.bigfix.com/relevance/reference/user.html#password-age-of-user-time-interval

q: password age of user "administrator"
A: 424 days, 21:33:06

I wonder if we can devise a scheme where if this duration is not the expected duration (from the last time the FixletAction ran) that it will be relevant?

I wonder if we can use the client’s local sqllite DB of action history here…

MMosley · August 19, 2020, 7:34pm

You could also create a secure location in the registry somewhere that can hold the info you send from bigfix. Ex. password used, time and date sent. And then use a property to show the info in the console. From a security standpoint its a terrible idea, even sending the password change itself from bigfix could cause trouble if it leaves behind any info. I’ve used pstools in the past to send mass password updates.

Another option would be using bigfix and pstools via right click options, this way it can also use the properties you want. All you would have to do is update the random word in the script.

Here’s an example that enables administrator and sets a password:

"C:\PSTools\psexec \\"& name of current computer &" cmd.exe /c net users Administrator /active:yes | net users Administrator RandomWord"& (value of property results whose (name of property of it = "IP Address" ) of current computer) &""

hmsiegel · August 19, 2020, 8:22pm

I’m actually in the process of working with our security team to implement Thycotic on these devices. That’s probably the route that we’re going to take.

brolly33 · August 19, 2020, 9:19pm

Yes…

Consider this relevance. It goes into the client area and looks for how many days ago the last time Action 83010 ran. It then subtracts the number of days since the Password was changed on Administrator account. If there is more than 1 day of difference, then your password change was not because of the Fixlet Action, and therefore the Password is not likely to be the Specially calculated one.

q: exists sqlite databases whose (exists ((it/day) of (now - it) of ( it + ("01 Jan 1970 00:00:00" as universal time) ) of  maxima of (it as string as integer*second) of rows of statements "SELECT  ChangeTime FROM ACTION_STATE_HISTORY where ActionID like 83010" of it) whose ((((password age of user "administrator" /day) - it) > 1))) of files "ActionHistory.db" of folders "__Global" of data folders of client
A: True

This should allow you to detect with relevance the endpoints you are interested in.

Next issue is, When your corrective Fixlet action runs to fix the password drift, the number f days will go back to 0, and thus will keep triggering the correction every day. Need to think more on this.

brolly33 · August 19, 2020, 9:25pm

Shame on me for not “showing my work”

q: rows of statements "SELECT  ChangeTime FROM ACTION_STATE_HISTORY where ActionID like 83010" of sqlite databases of files "ActionHistory.db" of folders "__Global" of data folders of client
A: 1597334158
A: 1597425875
A: 1597670628
A: 1597763279
A: 1597848562
T: 16.678 ms
I: plural sqlite row

q: maxima of (it as string as integer*second) of rows of statements "SELECT  ChangeTime FROM ACTION_STATE_HISTORY where ActionID like 83010" of sqlite databases of files "ActionHistory.db" of folders "__Global" of data folders of client
A: 18493 days, 14:49:22
T: 14.170 ms
I: plural time interval

q: ( it + ("01 Jan 1970 00:00:00" as universal time) ) of  maxima of (it as string as integer*second) of rows of statements "SELECT  ChangeTime FROM ACTION_STATE_HISTORY where ActionID like 83010" of sqlite databases of files "ActionHistory.db" of folders "__Global" of data folders of client
A: Wed, 19 Aug 2020 10:49:22 -0400
T: 11.642 ms
I: plural time

q: (it/day) of (now - it) of ( it + ("01 Jan 1970 00:00:00" as universal time) ) of  maxima of (it as string as integer*second) of rows of statements "SELECT  ChangeTime FROM ACTION_STATE_HISTORY where ActionID like 83010" of sqlite databases of files "ActionHistory.db" of folders "__Global" of data folders of client
A: 0
T: 8.981 ms
I: plural integer

q: password age of user "administrator" /day
A: 425
T: 6.507 ms
I: singular integer