(imported comment written by brolly3391)
Hello MikeP,
We have covered your first question in previous threads but I like the title of this thread so lets review:
BigFix can be used to change the password on your local administrator accounts but
not securely
. Anytime you use a distributed method to send a password to an endpoint, that password is vulnerable to capture and compromise. In this case the new password is in plain text on every machine that subscribes to the site with this fixlet as well as on the BigFix server.
I will show you how to do it but you have to understand the security exposure.
The local admin account in this example task is administrator. New password is p4$$w0rD. I know the net.exe command is available on Win 2k, 2k3 and XP, maybe more.
relevance:
exists member whose (it as string as lowercase contains “\administrator”)of local group “administrators”
action:
RunDetached {pathname of system folder}\net.exe user administrator p4$$w0rD
To reinforce this point, go ahead and create the above task in your development environment. Don’t deploy it, just create it. Note the ID of the new task in the tasks pane of your console (this column is off by default so you might have to turn it on).
Now go to one of your test machines that subscribe to your actionsite. Perform a file search for the ID number of the task you just created in the folder c:\Program Files\BigFix Enterprise\BES Client. Open the file Fixlet
ID
.fxf. You will see the password exposed in cleartext without even taking an action from that task.
other related threads:
RunAsCurrentUser (post #11 and on)
http://forum.bigfix.com/viewtopic.php?id=74
password on service
http://forum.bigfix.com/viewtopic.php?id=259
VNC password
http://forum.bigfix.com/viewtopic.php?id=28
Your second question can be taken care of without the above concerns as the password is never transmitted.
Sample where account to be removed from local admin is named RemoveMe:
relevance
exists member whose (it as string as lowercase ends with “RemoveMe” and it as string as lowercase starts with computer name as lowercase) of local group “administrators”
action
RunDetached {pathname of system folder}\net.exe localgroup “Administrators” “{computer name}\RemoveMe” /delete
You could also substitute in a domain name instead of {computer name} to remove a domain account from a local group.
Cheers,
Brolly