Change VPN (and other Remote Access) passwords remotely?
Page 1 of 2 12 LastLast
Results 1 to 10 of 14

Thread: Change VPN (and other Remote Access) passwords remotely?

  1. #1
    Senior Member
    Join Date
    Oct 2004
    Posts
    183

    Change VPN (and other Remote Access) passwords remotely?

    Here's a theoretical scenario which I've discussed with some friends but none of us can come up with a solution:

    A company provides remote support to clients via VPN and Remote Desktop. If an employee leaves the company, it's good practice to change passwords, just in case the former employee uses their knowledge to damage remote computer systems. I realise that an engineer could visit the clients and change the passwords "manually", but is it possible to have them changed "remotely" from the central office, perhaps via a script? I'd suggest having a .txt file (or an Excel spreadsheet) listing the company, current and new passwords and have this accessed by the script.

    Is this idea feasible or is there any other way of changing passwords quickly? If the company has 200 clients, it could take a couple of weeks before the passwords are changed and a "rogue" former employee could do a lot of damage within that time.

  2. #2
    Senior Member
    Join Date
    Dec 2007
    Posts
    132
    That's exactly the type of scenario companies like secure computing provide as a means to justify their one-time password solutions. If the company is big enough (and more importantly, able to understand the importance of this aspect of security) they may want to look into such a solution:

    http://www.securecomputing.com/gatew...e_password.cfm

  3. #3
    Senior Member
    Join Date
    Mar 2004
    Posts
    119
    You shouldn't have to change the passwords of every other user if the solution was designed properly in the first place. Every remote user should have a different password, thus you merely disable the account of the employee that left. Additionally VPN passwords shouldn't be stored on the client, thus you shouldn't change them in such fashion anyways.

  4. #4
    Senior Member
    Join Date
    Dec 2007
    Posts
    132
    I think you read that wrong. His scenario is the company the possibly rouge employee works for provides remote support via VPN, in which case yes, most of the time you will find that even if each remote client/user has a different password assigned to them/their machine, each employee at the company who provides support has access to the passwords used to access the clients machines for 'support purposes'. When any person leaves that company they would have to change the passwords every time because the passwords were common knowledge amongst the employees. I think you may have interpreted it as clients dialing into the companies VPN with common passwords.

  5. #5
    Senior Member
    Join Date
    Dec 2007
    Posts
    132
    BTW, if you plan on storing an unencrypted list of customer info and associated passwords, it is common practice to keep it on a machine that is physically accessible to all employee's, but not connected to a live network.

  6. #6
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    I'll clarify:

    Imagine there are 5 engineers, all of whom have access to the base office system and can access their customers/clients by VPN or Remote Desktop. The customers' passwords are kept securely at the base office but not stored in the VPN or Remote Desktop software. If someone needs to contact company X, they look up the username and password then do what's necessary remotely. Over time, familiarity with usernames and passwords means that they don't have to look them up.

    If one of the engineers leaves the company, they can set up VPN or Remote Desktop from home (they may have done so already to work on a customer's system out of "office hours") and use the username and passwords that they'd remembered. What I want to know is about changing the passwords remotely, rather than having to drive around all the customers to change the VPN or Remote Desktop passwords directly.

    Thank you for the comments thus far.
    Last edited by Ignatius; January 26th, 2008 at 12:10 PM.

  7. #7
    Senior Member
    Join Date
    Mar 2004
    Posts
    119
    Sorry for misunderstanding the original post.

  8. #8
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    No worry!

  9. #9
    They call me the Hunted foxyloxley's Avatar
    Join Date
    Nov 2003
    Location
    3rd Rock from Sun
    Posts
    2,528
    I worked as tech support for a company that provided support to several companies over various WAN links
    clients included Airports / emplyment agencies etc
    and we, as support had access to EVERYTHING on each client system, as we were THE support, no local / permanent employee used.

    in that scenario, it WOULD be best to alter all passwords
    but companies do seem to 'trust' us
    maybe too much, and TBH, I have so many details n my head now, that to pull one out of th eether as it were, would take more than I could be arsed to do

    but the point is well made

    what if I WAS a BASTA
    I COULD have crippled several networks without even breaking a sweat

    maybe I should ask for a pay rise
    55 - I'm fiftyfeckinfive and STILL no wiser,
    OLDER yes
    Beware of Geeks bearing GIF's
    come and waste the day :P at The Taz Zone

  10. #10
    Senior Member
    Join Date
    Oct 2004
    Posts
    183
    Thank you. I felt that there are many here who do work, or have worked, in this very field and it was with that in mind that I posted my original scenario. If it's agreed that changing passwords when someone leaves (more importantly "under a cloud"), surely there's a quicker way than to visit customers' premises and change everything manually? Whilst that would be relatively easy here in the UK, I suspect that support companies might provide support to customers many hundreds of miles away in the US. That is, after all, one of the main reasons for having such remote support after all, isn't it? I suppose that a possibility is to talk someone at the customers' premises through the process of changing the password(s) but I still think it would be more efficient if it could be done automatically.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides