By Josh Griffin, IT Manager
This month’s Microsoft® TechNet magazine had a great article, “The Great Debate on Security by Obscurity” where Jesper M. Johansson and Roger Grimes debated on the effectiveness of Security by Obscurity. They both argue for and against Auguste Kerckhoffs’ principle (dating back to 1883) that states that a system should be secure by design not by the lack of knowledge of the design. Having been in the IT security business for 12 years, I may be considered old school but I agree with Roger Grimes in that a system should be secure by design.
Kerckhoffs also states that you should expect that the enemy knows your design so the only real protection is provided by your cryptographic key. In today’s day and age of data breaches, you can’t be too safe in my opinion. This key could be your WPA2, your web.config encryption key or database encryption key. The average cost of an enterprise data breach went up from $5 million to $6.3 million according to the most recent Forrester research poll. I wouldn’t bet the farm on simply using security by obscurity. In the article, they battle back and forth on whether to change the administrator account name and password programmatically and how difficult this can be.
For the following examples, I am going to focus on Windows and Active Directory. Jesper mentioned that using the Active Directory Group Policy Object Accounts Rename administrative account would be ineffective if all computers had the same named admin account. I always recommend creating Organizational Units for your computers so you can assign Group Policy Objects (GPO’s) to them. You can’t assign GPO’s to the computer retainer, which is where the computers will be found by default. Then, if you break your computers up into server and work station types (like I do), it’s easy to rename them by group. And, you can roll out changes on a regular basis.
Now let’s talk about changing the admin password across the organization programmatically. By simply using the pspasswd.exe (Microsoft® Sysinternals), an administrator can export a list of computers from his Active Directory, copy and paste the list into a flat file named workstations.txt, for example, and then call on pspasswd.exe from the cmd line pspasswd.exe @workstaions.txt -u <username from gpo> -p <new password>. It will go out to all computers in the workstations.txt and change the password for you. Adding a >C:\passwdchange.txt will log it for you on the C:.
So as you can see, with a little scripting and some Active Directory knowledge, you can make these changes without a lot of work and keep your network secure.
