CSCF: Distributing a New Windows Master Password
The Windows Master Password is a single common password for Administrator access to every CSCF Standardized
Workstation, Server, Terminal Server and Domain Controller. It is encoded into all Workstation and Server images
used by our department. From these base images all the different types of Windows systems which CSCF maintains are built.
As such, even a suspected compromise of the Master Password becomes an urgent security matter.
Back in July (2005), Hong Zheng of MFCF reported that she suspected the master password for both MFCF and CSCF Windows
systems may have been compromised. She came to this conclusion upon finding a terminal server
belonging to the C&O depatment which had had its system hard drive mysteriously erased.
It is uncertain whether the Master Password was used to cause this failure or indeed if this failure was a delibrate
attack. Nevertheless, it was felt that the risk of not changing the Master Password was too great.
Below is an outline of how we recently dealt with this emergency by distributing a new Master Password to all CSCF managed
systems. At this time it was also decided to establish a new Master Password which was independent of the password MFCF
will now use for its Windows systems.
- Determine a new master password.
- This is kept in an envelop in the CSCF safe, along with previous master passwords.
- Change the master password for Administrator and cscf-adm domain accounts for all Active Directory domains.
- Remote logon to one domain controller in each domain.
- CSCF: Use elisa, glacias or aeshena
- CS-GENERAL: Use serverus or intacta
- CS-TEACHING: Use canadenis or eponina
- Change the master password for Administrator and cscf-adm local accounts on all Terminal Servers.
- Remote logon to one the following terminal servers.
- barbarus1
- barbarus2
- palmata
- najas
- antidote1
- elegans1
- elegans2
- Change the master password for Administrator, cscf-adm and cscf local accounts on all remaining online systems.
- Scan all CS subnets for PCs which answer to the old master password.
- For each account test for authentication using the old master password.
- This is done using the built in Windows net use command.
- If authentication succeeds, change the remote account's password to the new master password.
- This is done using the built in Windows net user command.
- Change the master password for Administrator, cscf-adm and cscf local accounts on all remaining offline systems in the
active directory.
- Setup a GPO which will cause previously offline workstations to request a password test upon boot
- The GPO runs a script at boot time.
- The script records the IP address of the booting computer in a data file.
- At regular intervals (5 minutes) one of the domain controllers runs a schedualed script to check the entries in the address list
- For each IP in the address list, the schedualed script does the following.
- For each account test for authentication using the old master password.
- If authentication succeeds, change the remote account's password to the new master password.
- Change the master password for Administrator and cscf-adm local accounts on all Workstation and Terminal Server
Standard Images.