Change Local Windows administrator password

ncpeteusa 2023-04-27 15:31:13 UTC #1

Is there a way to leverage BigFix to set the local administrator password on Windows. We have a requirement to set this every 45 days and using BigFix to automate this would be great.

trn 2023-04-27 15:40:25 UTC #2

Assuming you want to keep the password from prying eyes, secret parameters come into play.

The downside is that actions on fixlets that use secret parameters can only be targetted on hardcoded lists, not a dynamic collection, which will limit the usefulness

ncpeteusa 2023-04-27 16:26:43 UTC #3

understood, not ideal but sounds like a limited solution

jgstew 2023-04-27 16:54:03 UTC #4

Do you need to know what the password is set to?

You could set it to something random on all systems and not keep track of what it is.

Another thing you could do is set it to something that is deterministically random. Basically use the current month, current year, and bigfix client id as the input to something and generate an output, use that as the password.

If you want to set all computers to have the same well known password and have it be encrypted end to end, then this is really the only good option.

nuchtman 2023-04-27 17:16:22 UTC #5

Microsoft recently announced that LAPS is now included in current editions of Windows. If the devices are joined to an Active Directory domain (Azure or on-prem), perhaps crafting content to leverage that engine would be a better option from a security POV?

jgstew 2023-04-27 17:24:18 UTC #6

I don’t have experience with LAPS. Does it work if you have a machine that is domain joined but not currently on the corp network and not currently on VPN at the time? (work from home scenario, only on VPN some of the time)

nuchtman 2023-04-27 17:43:51 UTC #7

I’ve not personally used it yet, was more just an alternate path suggestion for exploration.

The way the MS documentation reads you could absolutely support Remote/WFH/on-prem devices via the Azure AD method (available either for AAD or HAD joined devices). If the devices are only on-prem AD joined, I think there are limitations requiring VPN/ZTNA connectivity to post the information (unless you had your DCs exposed to the internet…).

vk.khurava 2023-04-28 06:41:28 UTC #8

I have workaround but you need to enhance & use accordingly -

Relevance to run the action in every 45 days-
not exists action whose (now - last active time of it < 45 * day )

Action script generate random password & change it for mentioned user, you can pass the username as parameter (I hard coded it for testing)-

 delete "C:\Windows\temp\random.txt"
    delete __appendfile
    appendfile -Join("ABCDabcd&@#$%1234".tochararray() | Get-Random -Count 16 | % {{[char]$_}) >> "C:\Windows\temp\random.txt"
    move __appendfile __Download\test.ps1
    wait {pathname of regapp "powershell.exe"} -ExecutionPolicy Bypass __Download\test.ps1
    delete __Download\test.ps1
    waithidden "C:\Windows\System32\net.exe" user test {line of file "C:\Windows\temp\random.txt"}

Major & only drawback, password will be visible in client log file but you can also enhance it by deleting logs of that day or use some encryption method to convert generated password into secure string.

I hope this will help

nuchtman 2023-04-28 13:11:57 UTC #9

A way to obfuscate entries from the BES client log would be to shift the log status from “All” to “Command”.
It is not the only exposure point, since that password briefly exists on-disk in plain text, but thought I’d offer a way to not destroy a client’s daily log that I’ve used when I don’t want a user to be able to go back & see a particular key or command’s details.

action log command

https://help.hcltechsw.com/bigfix/9.2/platform/Platform/Action/c_action_log.html

While not perfect from a security POV, you could do a couple slight modifications to further minimize exposure by writing nothing to disk (just an example, not an endorsement ):

action log command
parameter "RandomVal" = "{concatenations of (characters it) of (it + 33 /* int to ASCII table position */ ) of (random integer of it) of (94) /* <-character set */ of integers to 20}"
waithidden "C:\Windows\System32\net.exe" user test {parameter "RandomVal"}
action log all

vk.khurava 2023-04-28 13:39:33 UTC #10

Yes ! Like as I mention there are scope for enhancement, its just how you start your 1st step.

Same can be implemented using API with secure parameter over the fly without leaving any traces, using some scripting & scheduled task.

DanieleColi 2023-04-28 14:33:53 UTC #11

Just the updated reference to the action scripts command: https://developer.bigfix.com/action-script/reference/client/action-log-command.html
as BigFix v9.2 is out of support and the documentation no longer maintained…