Managing the Local Administrator account in an Enterprise Environment

Recently I was tasked with creating a service that could reset the Local Admin password on workstations within our company.

It was that we didn't have a way of managing them, but after an audit it was found less than sufficient. It was using an algorithm which set the password using a mixture of date, machine name, domain name and local account to be reset. This was fine until someone put a copy of the application within netlogon and the code was disassembled and the algorithm expose therefore enabling the password to be worked out easily.

Therefore I needed to find a way of creating a random password, not too difficult, and also ensuring that this password could not be easily deciphered or guessed.

Upon doing a bit of research and googling, I came to the conclusion that using a domain pki certificate to encrypt and decrypt the password was the way to go.

The idea is that when the service starts it generates a random password, this is then encrypted with the certificate public key and the details of the workstation, date/time and the byte array of the encrypted string are written to a data base. If the database is not contactable then the password is not reset. If the local administrator account successfully logs in to a workstation then the password is reset, again this will not reset if the network is not available.

To be able to retrieve the password the general idea is to have a web page which is permissioned appropriately and the staff that require this ability can only do so through the form presented. This will be possible as the private key for decrypting the password will be stored on the web server that is hosting the pages.

This all sounds simple enough and so far i have it working successfully albeit not with the web front end but using a simple windows form application for quick testing purposes.

The source code for this will be found here https://github.com/Blankinfinity/Admin-Reset-Service , just need to upload it first but will update here when it is.

Feel free to pull the source and make amendments which could potentially improve the service and security or just leave me a comment with suggestions.


Loading