Password Security and Network Administration

[ammo]

Originally posted here by DBEAUCHAMP
Unfortunately, I don't think there is a legal way of doing it without having the user's conscent ! Even if you are a Administrator of the domain.

Actually, I don'T think cracking users passwords is illegal if you are the admin and have the appropriate authority: the network and systems are property of the company, as well as all the work done on them. You should probably specify it in the policy though so users know...

[i]
Have u tried to change password on the domain and to see if this could help ? I'd be surprised though since I think that the token having the password and all as to be remake on the next user login or establish a password change by the user itself.
[/B]

I'd be intersted in hearing the results of that... (Heck, I'll try it monday when I get back to work..)

[i]
I don't know, but is there a law that could permit you to get your user sign a kind of legal conscent that when this kind of situation happens, they'd let you use a software like @stake LC4 to get their current password and then unlock their station and finaly make sure to inform the user of the changes made to their account ? If so, here's your solution...
[/B]

Like I said, no law are against it since the company owns everything and you are authorized as the admin to do that. It doesn't constitute unauthorized access, theft of data or anything...

Good luck ! [/B][/QUOTE]

For my part I'd suggest trying to run such scripts as batch jobs (ie: through the task scheduler for example. ) so they don't run as interactive and wouldn't be ended on logout (I'm not sure but I think it should work... and it's probably worht a try...

(this might give hints: http://www.microsoft.com/technet/tre...d_urs_wyxu.asp)

Ammo

[haknwak]

Thanks for all the suggestions. I'll try and address your responses individually.

- We used to have a system whereby I set all the passwords. New security policy. No more.

- legality of password databases - I don't think it's illegal - the data is the company's and they (I as admin) have rights to gain access to it at any time if need be under our security audit

- make the program run as a service - Bwahahaha - No offense but that would mean our programming team would need to do their job right the first time

- cracking the SAM - I could do that, but some security officer - the ***** - (me) set a strong password policy of min of 8 characters, three of the following four - upper case, lwer case, numeric and symbol. Most passwords are 10+ characters. It takes even l0phtcrack days just to come up with a couple passwords. Plust the ******* (m,e) set the polict to have 30 day turnaround on password changes, uniques with a history of five previous passwords.

Customers are a little picky on just who and when people access their databases, Very sensitive as of late with the larger customers and their security audits.

I decided the following - if someone leaves fr a while and i have legit need to get in to their computer - tough **** if they didnt save their work and ..

if the network problem is so huge that I need to stop programs from running, in all likelyhood the database server is puking already. Tough noogies if they have to rerun a three day load. They'll get over it. My primary objective is to protect the servers.