NT Gatekeeper: Assigning Unique Local Administrator Passwords

Get answers to your security-related NT questions

[Editor's Note: Do you have a security-related question about Windows NT? Send it to [email protected], and you might see the answer in this column!]

Our previous Windows NT administrator used the same local administrator password to install all our workstations, which greatly simplified our workstation build procedures. However, this practice has created a huge security risk. With only one set of credentials, a malicious intruder could access all the workstations. I'd like to give every local administrator account a unique password. Do you know an easy way to accomplish this task?

You might want to check out Foghorn Security's Local Account Password Manager (LAPM), a tool that gives every workstation a unique administrator password and centralizes the administration related to this operation. You can download a fully functional, nonexpiring demo version of LAPM from http://www.foghornsecurity.com/lapm/download. The demo version has a built-in host limit of 35 machines.

LAPM works by grouping workstations and member servers into logical groups, such as Research and Human Resources. LAPM assigns all machines that belong to a logical group the same knowledge key, which is a simple passphrase that an administrator sets. To generate a unique administrator password for every machine, LAPM uses an undocumented combination of the machine's NetBIOS name and the knowledge key of the group to which the machine belongs.

Installing LAPM is as simple as extracting to a folder all files bundled in the LAPM .zip file. To make LAPM work in an NT domain environment, you must create a global account called the RunAs account and add it to a global group. Then, on every machine whose administrator account's password you want to manage, you add the global group to the local Administrators group. The RunAs account needs the Logon as a service user right on the machine from which you'll be running LAPM. Administrators using LAPM need the following user rights on the machine running the tool: Act as part of the operating system, Bypass traverse checking, and Replace a process level token.

To bring up the LAPM GUI, you run lapm.exe from the LAPM folder. Before you can use the tool, you need to enter the following information in the Configuration dialog box (accessible from the System Config menu): the RunAs account name and domain, and the domain name and PDC of the domain that contains the machines whose administrator passwords you want to manage.

To create logical groups and populate them with machines, you use the Add and Contents options, respectively. You select the Change Keys option to set the knowledge key. To start the administrator password reset process on remote machines, click Begin Host Processing.

After LAPM sets the local Administrator account's unique password, you can retrieve it with the GUI's Display a Host Password menu option. You can also use a command-prompt tool called the password generator (passgen.exe) that comes bundled with the LAPM application. When you retrieve the password from the GUI, LAPM prompts you for the machine's NetBIOS name. When using passgen.exe, you need to enter the machine's NetBIOS name and the group's knowledge key. You can retrieve the knowledge key from the GUI by selecting the appropriate group and clicking View Key/Account.