Change VPN (and other Remote Access) passwords remotely?

[Ignatius]

Here's a theoretical scenario which I've discussed with some friends but none of us can come up with a solution:

A company provides remote support to clients via VPN and Remote Desktop. If an employee leaves the company, it's good practice to change passwords, just in case the former employee uses their knowledge to damage remote computer systems. I realise that an engineer could visit the clients and change the passwords "manually", but is it possible to have them changed "remotely" from the central office, perhaps via a script? I'd suggest having a .txt file (or an Excel spreadsheet) listing the company, current and new passwords and have this accessed by the script.

Is this idea feasible or is there any other way of changing passwords quickly? If the company has 200 clients, it could take a couple of weeks before the passwords are changed and a "rogue" former employee could do a lot of damage within that time.

[xiphias360]

That's exactly the type of scenario companies like secure computing provide as a means to justify their one-time password solutions. If the company is big enough (and more importantly, able to understand the importance of this aspect of security) they may want to look into such a solution:

http://www.securecomputing.com/gatew...e_password.cfm

[Net2Infinity]

You shouldn't have to change the passwords of every other user if the solution was designed properly in the first place. Every remote user should have a different password, thus you merely disable the account of the employee that left. Additionally VPN passwords shouldn't be stored on the client, thus you shouldn't change them in such fashion anyways.

[xiphias360]

I think you read that wrong. His scenario is the company the possibly rouge employee works for provides remote support via VPN, in which case yes, most of the time you will find that even if each remote client/user has a different password assigned to them/their machine, each employee at the company who provides support has access to the passwords used to access the clients machines for 'support purposes'. When any person leaves that company they would have to change the passwords every time because the passwords were common knowledge amongst the employees. I think you may have interpreted it as clients dialing into the companies VPN with common passwords.

[xiphias360]

BTW, if you plan on storing an unencrypted list of customer info and associated passwords, it is common practice to keep it on a machine that is physically accessible to all employee's, but not connected to a live network.

[Ignatius]

I'll clarify:

Imagine there are 5 engineers, all of whom have access to the base office system and can access their customers/clients by VPN or Remote Desktop. The customers' passwords are kept securely at the base office but not stored in the VPN or Remote Desktop software. If someone needs to contact company X, they look up the username and password then do what's necessary remotely. Over time, familiarity with usernames and passwords means that they don't have to look them up.

If one of the engineers leaves the company, they can set up VPN or Remote Desktop from home (they may have done so already to work on a customer's system out of "office hours") and use the username and passwords that they'd remembered. What I want to know is about changing the passwords remotely, rather than having to drive around all the customers to change the VPN or Remote Desktop passwords directly.

Thank you for the comments thus far.

[Net2Infinity]

Sorry for misunderstanding the original post.

[Ignatius]

No worry!

[foxyloxley]

I worked as tech support for a company that provided support to several companies over various WAN links
clients included Airports / emplyment agencies etc
and we, as support had access to EVERYTHING on each client system, as we were THE support, no local / permanent employee used.

in that scenario, it WOULD be best to alter all passwords
but companies do seem to 'trust' us
maybe too much, and TBH, I have so many details n my head now, that to pull one out of th eether as it were, would take more than I could be arsed to do

but the point is well made

what if I WAS a BASTA
I COULD have crippled several networks without even breaking a sweat

maybe I should ask for a pay rise

[Ignatius]

Thank you. I felt that there are many here who do work, or have worked, in this very field and it was with that in mind that I posted my original scenario. If it's agreed that changing passwords when someone leaves (more importantly "under a cloud"), surely there's a quicker way than to visit customers' premises and change everything manually? Whilst that would be relatively easy here in the UK, I suspect that support companies might provide support to customers many hundreds of miles away in the US. That is, after all, one of the main reasons for having such remote support after all, isn't it? I suppose that a possibility is to talk someone at the customers' premises through the process of changing the password(s) but I still think it would be more efficient if it could be done automatically.