g (Generate Password Based on Known Input)

g (Generate Password Based on Known Input)

This is perhaps the most useful feature of the tool, the ability to generate a password based on known input. As discussed in Chapter 8, "Security Dependencies," one of the biggest problems in security is the fact that on most networks, the administrator accounts on all or most machines have the same password. This feature is designed to solve that problem. It takes two pieces of known input, a pass phrase and an identifier for the account or machine, and generates a password for that account. That means that using the tool and a single pass phrase you can easily manage separate passwords on a large number of systems. You can, of course, also use this functionality to manage separate passwords on Web sites and service accounts.

The syntax for the g functionality is as follows :

[View full width]
 
[View full width]
Passgen g <identifier> <pass phrase> [-l <desired length>] [-e <desired character set>] [-c <account name> [<old password>] [-m <machine/domain>] [-d <service name>]] [-h]

The only required options are g , the identifier, and the pass phrase. Calling passgen g <identifier> <pass phrase> will print a password for the identifier based on the identifier and the pass phrase. Using only these options, passgen will print a 15-character password using uppercase, lowercase, numbers , and printable symbols on a U.S. English keyboard. The format of identifier and pass phrase are almost entirely optional. If you want to use a space in either, however, you must enclose the entire parameter in quotes. In addition, the pass phrase may not be a two-character sequence beginning with a or a / . This is to avoid the tool taking it for a command-line switch.

If you want a password of some other length you can use the l switch and specify a number for length. For instance, passgen g <identifier> <pass phrase> -l 14 would print a 14-character password instead.

The -e switch controls the entropy in the password by specifying which character set to use by a character-set identifier. The valid options are as follows:

  1. Uses only alphabetic upper- and lowercase characters ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz

  2. Uses all English alphanumeric characters ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789

  3. Uses all characters on a U.S. English keyboard. This is the default character setABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789`~!@#$%^&*()_-+={ [} ]\:;"'<,>.?/

  4. If you use this character set, you may need to know how to use the characters properly. For instance, the " character is a delimiter on the command line. To use it on the command line, you need to escape it, using a \ character. In other words, if the password you generate is ^:L^"=92bN3?;nv, you need to type it as ^:L^\"=92bN3?;nv to use it on the command line.

  5. Same as 3, but also includes the Unicode characters 0128 through 0159. Note that if you set a password using character set 4, you will not get an LM hash, regardless of the length of the password. However, this benefit comes at several costs:

    • You will not be able to use this account from a system running Windows 9x unless you install the directory services client.

    • The account cannot be used as a cluster services service account unless you also configure the NtlmMinClientSec switch as per Chapter 11, "Passwords and Other Authentication MechanismsThe Last Line of Defense."

    • The account will not work properly in some command-line situations. Cmd.exe is Unicode internally but uses the OEM character set for parsing batch files. Therefore, although you can set a password with a Unicode character using net user or passgen.exe, you cannot set or use that password in batch files. Batch files are always parsed as ANSI files using the OEM character set. If you enter one of these characters in a batch file, it will be converted into some roughly equivalent OEM character set symbol. Obviously, that symbol does not match the Unicode symbol used in the password and use of the password will fail. That also means that you should never attempt to set passwords using batch files , particularly not if they have Unicode symbols in them. Calling a tool that generates a password, such as passgen, will work as expected. However, specifying the password using net user, for instance, will cause unexpected results. The passwords will set, but will be set using a relatively unpredictable character set dependent entirely on the locale of the system where the batch file was created. For example, if you use character code 0128 in your password and enter that character in a batch file, it will be interpreted as character 128 by a system using the Western European (Windows) character set. The same behavior may be encountered with other command-line tools, although if they receive stdin directly from cmd.exe they should work fine.

The -c switch is used to change or reset a password on an existing account, where the account is specified in the account name parameter. Although you must pass an account name parameter if you use the -c switch, you may optionally also pass in a new password. If you just specify the -c switch with only an account name, the tool will attempt to reset the user's password. This will cause loss of all data encrypted with EFS or any other application that calls the crypto API, such as the stored user names and passwords feature of IE and the shell . To avoid data loss, specify the old password, in which case the tool will attempt to change the user's password instead, retaining access to the data. If the tool fails to change the password using the old password, it will fail the entire password-change operation. The tool will not attempt to reset a password if an old password is specified.

If the user running the tool does not have the right to change or reset the password, whichever is specified, the tool returns an error. As with the pass phrase parameter, the old password parameter may not be a two-character string beginning with a or / . If you want to reset the local administrator account and the account has been renamed, you may specify the token 500 (from the relative identifier [RID] for that account) as the account name. In this case, the tool will dynamically determine the name of the renamed administrator account on each system to allow you to change the password no matter what the account is named. This feature is provided as a convenience only; there is little or no valid security reason to rename the administrator account.

NOTE: If you specify 500 as the account name and expect to change the password for the domain administrator account, you must specify a domain controller as the machine name. It will always resolve the administrator name on the machine specified in machinename or locally if there is no machine specified.


The m switch specifies the machine or domain to perform the password change operation on. If the m switch is omitted, the local machine is used. If the m switch is specified, a machine or domain name must be specified. In addition, the m switch may not be used without the c switch. You must specify an account to change if you specify a machine or domain to change the account password on. If you specify an IP address rather than a machine name, the tool will resolve the machine name under some circumstances (for example, if you specify 500 as the account name, or if you try to change the password, as opposed to reset it, the tool will need to resolve the machine name, but it will only do so if needed). However, if you have a prior connection to the IP address, not to the machine name, the tool may fail with an access- denied error if it cannot resolve the machine name. For instance, if you make a connection using net use \\192.168.1.2 , where 192.168.1.2 really is the machine MyServer, and then run passgen specifying MyServer as the machine name, the tool will try to connect to MyServer. This may fail with an access denied because you have not specified credentials to MyServer, you specified them to the IP address.

The d switch is used only for managing service accounts. If the d switch is used, a service name and an account name must be specified. The tool will in this case configure the service to start using the account specified in the account name parameter using the generated password. Before the password is updated, the tool will stop the service, if it is running. After the password is updated, the tool will restart the service if it was already running. If the account does not have the SeServiceLogonRight privilege, this privilege will be added to the account prior to starting the service. In addition, on Windows Server 2003, Windows XP, and Windows 2000 Service Pack 4 and higher, the account will automatically receive the SeDenyInteractiveLogonRight, SeDenyNetworkLogonRight, and SeDenyRemoteInteractiveLogonRight account rights on the system where the service is configured. This means that the account specified to start the service will no longer be able to log on interactively, via the network, or via Terminal Services. In other words, it will now be a true service account.

It is important to understand the implications to the service startup type when changing the service account password. The service startup type is the process context that the service starts in. Most system services (those that start in LocalSystem, LocalService, or NetworkService) share a process. The tool does not change the startup type of the service. In other words, if the service is currently running as a system account and you are configuring it to run as a user, the service will still be set to start as a shared service if that was how it was originally configured. If it is the only service running in that account, the effect is that it will still be running in its own service. However, if it is set to run as a shared service, it will fail to restart because it is now running in a different context from all the other services in that process. Although the passgen tool could change the startup context for the service, it does not do so because a service that is starting up in a shared process will most likely not function properly anyway unless all the other services in that process are present. Hence, the tool generates an error earlier than would otherwise be the case if the service were allowed to start and then could not operate properly. If you want to configure the service to run in a different shared process, or in its own process, you would need to use the SC tool to do so. Note here that this means that passgen will not work properly with Windows NT 4.0 and earlier. Those operating systems allow only system services to run in a shared process and will throw an error if you try to configure a service starting as a normal user in a shared process.

Using the h switch, you can prevent the tool from echoing the new password to the screen. This would obviously not be very useful when you want to generate a password for personal use, for example, on a Web site. However, if you are trying to change the password on a service account, there may be no need to know what the password is. The same is true if you are trying to prevent people from using an account by setting a very complicated password on it. Keep in mind, however, that if you do not know what the password is, you must reset the password, with associated data loss. Of course, because the password in this case is based on the input parameters, you can always see what the password is by just running the tool with the g switch and the original parameters.



Protect Your Windows Network From Perimeter to Data
Protect Your Windows Network: From Perimeter to Data
ISBN: 0321336437
EAN: 2147483647
Year: 2006
Pages: 219

Similar book on Amazon

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net