Protect Your Windows Network: From Perimeter to Data
There are a number of valid usage scenarios for the tool. This section describes some of them. Scenario 1Generating or Retrieving a Deterministic Password
Passgen g <system name> <pass phrase>
In this case, the tool is just used as a password manager for some system. For instance, suppose you want to have different passwords on each Web site you go to. Use the name of the Web site as <system name>, and the tool will give you a password for that site. Should you need to tweak the character set, say if the site does not support all symbols, you can change that or the length using the e and/or the l options. This command can also be used to retrieve the password for a site or system that you have previously generated a password for. Used this way, the tool obviates the need for writing down the passwords. Should you want to make it portable, just stick the tool on a USB thumb drive and carry it with you. You can now retrieve the password on any system with a USB port. Scenario 2Setting the Administrator Password
passgen -g <machine name> <pass phrase> -c Administrator -m <machine name> -h
In this case, the tool is used to set the administrator password on a single machine. The h switch is used because in g mode we can easily retrieve the password using just the g switch, the identifier, and the pass phrase. There is one problem here: To change the password for the account later, you need to invent a new pass phrase. If you have used the same pass phrase for generating an Administrator account on many machines, you would need to change the password on all of them to maintain a common pass phrase; otherwise , you would defeat the purpose of the tool. To rectify that situation, we go to Scenario 3. Scenario 3Setting an Indexed Administrator Password
passgen -g <machine name>_1 <pass phrase> -c Administrator -m <machine name> -h
Here we use _1 as an index appended to the identifier. This is so that we can cycle passwords on machines. For instance, suppose you manage 50,000 desktops and you need to give a contractor the administrator password on one of them. After the contractor leaves , you probably want to reset the password on that machine. There are two ways to get a new password. One is to change the pass phrase, but unless you reset the passwords on all 50,000 machines, that defeats the purpose of the tool, and resetting the password on 50,000 machines would be overkill to say the least. The other option is to maintain a file that contains machine identifiers with index numbers . This could be a simple text file, although it probably would be easier to do so in a Microsoft Excel spreadsheet. Keep the machine names in one column and the index in a second column. The index simply keeps track of which password in the order you are currently using for a particular machine. As you generate new passwords for the machine, you increment the index in the spreadsheet. Although you should probably protect the file with the machine IDs, the secret is the pass phrase, not really the machine ID. Even if an attacker manages to get hold of both the tool (which is not too difficult) and the list of machines, the attacker would still need the pass phrase to generate the passwords. As long as the pass phrase is not stored (or at least not stored so that an attacker can get to it), it is OK to keep these machine IDs in a file. Just keep this in mind: Do not store the pass phrase on any networked system or anywhere else where an attacker can get to it. Scenario 4Resetting the Administrator Password on a Large Number of Machines
If you want to cycle all the passwords on all machines, copy the first column of the spreadsheet to a text file (call it machines.txt for now) and run this command: for /f %m in (machines.txt) do passgen -g %m_1 <new pass phrase> -c Administrator -m %m h
This resets the administrator password on all those machines. Should you instead want to change the password, you would need to play around with the syntax a little. Let us go to Scenario 5. Scenario 5Changing the Administrator Password on a Large Number of Machines
To change the password as opposed to resetting it, you need the old password. If you currently have the same password on all the machines, this is easy. Just type it in column D in your Excel spreadsheet and copy that column down to all the machines. If you have previously used the passgen tool to generate and set passwords on all these machines, you have to first retrieve the old password. To retrieve the old password, create a list of the current machine identifiers and indices. You can do that by putting this command in column C of your Excel spreadsheet: =A1&"_"&B1 . Copy column C to machineAndIndex.txt. Then run this to generate a list of the passwords: for /f %m in (machineAndIndex.txt) do passgen g %m <old pass phrase> >> passwords.out
Copy the output in passwords.out to column D in the Excel spreadsheet ensuring that the rows line up with the rows for machine name. Next create a new column E that contains the formula =A1&" "&D1 , where A is the column with the machine identifier and D is the column with the old password. Copy column E to a text file called machines.txt and then run the following: [View full width]
[View full width] for /f "eol=; tokens=1,2 delims=, " %i in (machines.txt) do passgen g %i <new pass
This will take token 1 (the machine name) and use it as variable i and token 2 (old password) and use it as variable j to change the password on the Administrator account instead of resetting it. You can easily construct similar scenarios using the r and s modes. In r mode, you probably want to print the password to a file, however. Make sure you manage that file properly. It is a little bit of work to create these command lines, but it works well (although it is a bit slow). For a future version of the tool, we might add file parsing and old password computation. Who said you do not have a usable command line on Windows? |