managing local admin passwords

one of the missing features that gives some windows administrators (and ALL security administrators) heartburn on the windows desktop platform is the lack of built-in controls to manage local passwords. group policy preferences was one of the ways you could get around this problem, but as you probably already know, it was quite insecure and recently addressed by a security update. okay, so where does that leave us?

recently, tom ausburne wrote this bang up article which goes into quite a few things, like the insecurity of group policy preferences, the jiri method, and pass the hash. it’s definitely worth the read and provides all the steps necessary to set up the jiri method in your environment.

so what’s this jiri method? it basically changes the local admin password to something random and stores the value in AD. the disclaimer is that the password is stored unencrypted in clear text. tom’s article goes a bit into protecting the attribute (a concept called confidential bit.)

 

helpful links:

how to automate changing the local administrator password
pass-the-hash (PtH) whitepaper
group policy preferences elevation vulnerability
the jiri solution
confidential attributes (or bits as i came to know it)