Resetting the administrator password
Most companies fall into the same category when it comes to controlling the administrator password: those that don't do it very well. The goal is to make the administrator password as strong as possible, but the effort to change the administrator password on a regular basis is too time consuming and complex. This is unfortunate because most attackers target the administrator account -- there is a lot of power to be gained by accessing a computer with this account. There are methods for controlling the Windows administrator password efficiently and securely.
Understanding the scope
When you hear administrator account, you might be limiting your thoughts to only the account at the domain level. This is only one of potentially thousands of administrator accounts that you have in the environment. Consider that every Windows computer, servers and clients (except those Windows 9x clients) have a local administrator account.
Consider, too, that if you decide to make all Windows administrator account passwords the same throughout the enterprise, you run the risk of exposing every computer if the password becomes known. Therefore, it is a good practice to make the password unique for the administrator account on high-profile servers and clients.
Changing the administrator password
There are solutions that can change the password without too much effort, but choosing your tool is an important decision. There are some tools that can control the password via a script. This is not a horrible solution, but it does bear some unfortunate drawbacks. First, many of the scripting tools can't encrypt or mask the password. This leaves the password exposed in clear text, which in reality makes the password more insecure. Second, scripts are event driven, which means that the computer typically must be rebooted for the script to run. This limitation does have Band-Aid solutions, such as scheduling a task to run the script in order to get the technology to work.
In addition, more eloquent solutions exist, such as the one from Desktop Standard Corp. Its PolicyMaker Standard Edition (www.desktopstandard.com) solution solves all of the limitations of scripting and provides an easy configuration environment. This solution changes the password through the powerful and limitless Group Policy feature, as shown in Figure 1.
Figure 1. PolicyMaker Standard Edition provides an easy way to change the administrator password on all computers.
By using Group Policy to change the password, the updates are automatically applied in the background without any additional configurations or Band-Aids. The password is encrypted so it can't be read and is protected from an attacker. Finally, by using Group Policy it is easy to have different passwords for the different servers and clients within the enterprise by linking Group Policy Objects to the appropriate organizational units containing the computer objects.
Leaving the administrator password unchanged for too long leaves the account exposed and vulnerable. There are solutions that involve automating the changing of the password, which gives you the power to take over control of your network and make the appropriate changes to the password on a regular basis. With many solutions available, you can pick and choose the solution that fits best in your environment without compromising your current procedures or security practices.
Derek Melber, MCSE, MVP, and CISM, is the director of compliance solutions for DesktopStandard Corp. He has written the only books on auditing Windows security available at The Institute of Internal Auditors' bookstore and also wrote the Group Policy Guide for Microsoft Press -- the only book Microsoft has written on Group Policy. You can contact Melber at firstname.lastname@example.org.
This was first published in August 2005