I love the password encryption/local user section of labs. I’m trying to pick it apart and use it for a different case.
We want to change service accounts for our SQL services across 600+ endpoints. This of course means we’d need to send a password, which prior to Labs was a no-no. I can handle the piece to update the accounts with no issues, I just want to see if I can make a “custom” action that secures the password/
Has anyone done something like this? The action that is pushed to add a local user is fairly easy to pick apart, but I’m trying to find out how the BigFix server encrypts the password. Is there any documentation on this?
We dont have any proper documentation on it, though I can give you a bit of a primer.
The first step to using encryption is that we create a public/private key pair on each endpoint. We then report the public key up through an analysis.
Now we have a public key for every computer. In the wizard on the console (rather than through the server), we run openSSL to encrypt the strings for each of the computers. From there it’s just a matter of making the action, which as you noted is pretty straight forward (just find the right encoded string for each computer, decrypt, and use).
We have developed some modules internally to help make using this method easier (we are now doing this in several products). I can give it to you if you want, though since it was developed for internal use, i am not sure how easy to use it would be (might require our full development framework, I’ll check it out).
We would be interested in that too. I’m excited about the PKI infrastructure that this gets into place. I’d like to leverage it to deploy other secure data.
We have a pair of dll’s we use on the client and in a dashboard to accomplish this. Once we get them properly signed, ill post them up on the wiki with some info on how to use them.