Mass change passwords on service and scheduled tasks

J

Jordan

We have a few services that need to run under and Admin account. Also, some
scheduled tasks. It is a real pain to go to change the account password, go
to each service that starts up with that account, change it there as well,
then go to each scheduled task and change the password there as well.

Is there something that can mass change the account password, scheduled
tasks, and services in one shot. If so, how about across multiple servers?
 
P

Phillip Windell

My technique is to never use the Admin account for things like this, but
create special accounts for these services,...and then give them very
complex passwords and then I rarely change them. Since these account
passwords are not "known" by any humans becuase no one is actually actively
using them on a daily basis, the passwords are at less of a risk then
passwords that humans have memorized and use daily (like the Admin account).

I don't know of any way or any tools that can be used as you are
asking,...maybe someone else around here knows.


--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
 
J

Jordan

Actually, that is exactly what I do as well. Unfortuantely, we are subject
to the SOX audits each year and they will rate us as "non-compliant" if we
do not change the passwords on all accounts every 90 days.

I can get away with changing this special account password just a few weeks
before the yearly audit and no one is the wiser, but that still is a task
even once a year. It is not so much the work involved as much as it is
messing it up by forgetting something or mistyping the password on the
service startup or the schedule tasks.
 
P

Phillip Windell

Jordan said:
Actually, that is exactly what I do as well. Unfortuantely, we are subject
to the SOX audits each year and they will rate us as "non-compliant" if we
do not change the passwords on all accounts every 90 days.

You misunderstand SOX. We were under that too until we were bought by a
different Parent Company that doesn't fall under SOX.

SOX does not demand a password change,...in fact SOX dictates next to
nothing about "specific" IT tasks. What they do is verify that you follow
proper IT Policy that that is established by *you*. So it is simply them
making sure that you do what you said you would do.

So the company needs to stablish a more specific password policy. Do not
say "We will change all passowrds...." because SOX will insist you change
all passwords,...you need to say "We will change all passwords *but*....."
and they will make sure that you do what you say and "Change all passwords
*but*...".

The primary thing SOX tries to accomplish is this:

1. Job Positions have specific duties and do not cross certain boundaries
with certain other jobs. This is primarily to prevent things like
Embesselment and other white-collar crime. For example a Sales person can
create a "order" but cannot approve the order,...while a Sales Manager can
approve an order but cannot create an order.

2. Business critical data is to be protected. But it does not dictate the
specific tasks of *how* it is protected. It is the responsibility of the
Company to "create" the tasks and the means to protect its data (without
shooting themselves in the foot),...and then the Auditiors make sure that
the compnay follows the "tasks and the means" that they said they would
follow. So the moral of that story is: "Don't make promises you can't
realistically keep". Think through the full ramifications of the policies
that the Company puts in place,...the auditors will expect you to follow
your policies.

So if the Company needs to "perfect" their policies,...then they need to get
their policies "perfected".

If you look up and actually read the SOX act you will find it to be very
short and that it says very little. I don't not believe the words "computer"
or "password" are even mentioned once.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
 
P

Phillip Windell

Here's an example of a set of Password Policies that you can "promise" to
the SOX auditors.

Policy #1: We will force a password change of Accounts that represent
employees every 60 days

Policy #2: We will force a password change of maintanence accounts that do
not represent employees (eg. Administrator accounts) every 120 days. (or
whatever you choose).

Policy #3: We will enforce stronger password complexity for Service Accounts
not used for employee logins. Accounts will not have a forced password
change policy (or you could force an Annual change every 365 days).

Then SOX auditors would expect you to follow these policies.

In other words be more specific in your "promises" and be careful not to
shoot yourself in the foot. If you feel it will take an "act of congress"
to alter the policies that have been set then,...that is no excuse to not do
it,...it just means "congress" needs to get busy and do a better job on the
second try.

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
 
P

Pegasus \(MVP\)

Jordan said:
We have a few services that need to run under and Admin account. Also,
some scheduled tasks. It is a real pain to go to change the account
password, go to each service that starts up with that account, change it
there as well, then go to each scheduled task and change the password
there as well.

Is there something that can mass change the account password, scheduled
tasks, and services in one shot. If so, how about across multiple servers?

You can change the password for scheduled tasks with this
batch file. Using psexec.exe (www.sysinternals.com) would
allow you to execute it on any machine while sitting at your
console. However, as Phillip said, you should use a dedicated
account for your scheduled tasks.

@echo off
set Password=supercalifragilistic
cd /d "%SystemRoot%\tasks
for %%a in (*.job) do call :ChangePW %%a
goto :eof

:ChangePW
set TaskName=%*
set TaskName=%TaskName:~0,-4%
SCHTASKS /Change /RP %password% /TN "%TaskName%"
 
J

Jordan

Thanks. That gets me half way there on the Tasks. Can PSExec also do that
for Services.
 
J

Jordan

Thank you for your input. Unfortunately SOX regulations are still very
subjective and it depends on who your auditing company is (KPMG for us), who
the auditor is, and who their supervisor is. This is why SOX SUX.
Generally we must make a reasonable policy and SOX mostly makes sure you are
following your own policies.

But SOX is not a system like ISO9000 where you can say that you make crappy
stuff and you make sure you follow the instructions to the letter on that
crappy stuff you make. Reasonable efforts must be made to secure the
company's security and data. But what is reasonable in whose eyes?

For example, I could create a policy that says I only backup once a week,
but is it very reasonable for them to conclude that it is deficient because
if the server crashed it would cost $X in either lost productivity or
revenue or whatever? This is to much exposure in their opinion no matter if
I thing that $X is reasonabl (I do backup daily).

On passwords I can easily argue that simply having a 3 attempt lockout in
itself is more than ample protection against any possible password hack.
There is no difference in Joe telling someone or writing under his keyboard
that his password is "9732" or "L+26h!q".

Although a lot of people can get hacked one way or another it is very rare
that a password cracker is the means by which they gain access so complex
passwords and regular changes are most a "feel good" way of inaffectively
contering the most common security threats to IT. Most of the time it
deliberate like a current or former employee selling secrets. Sometimes it
is a trojan that can just as easily monitor you typing "9732" or "L+26h!q".
And a lot of times it is just someone calling up on the phone and your
employees are chatter boxes.
 
P

Phillip Windell

Jordan said:
Although a lot of people can get hacked one way or another it is very rare
that a password cracker is the means by which they gain access so complex
passwords and regular changes are most a "feel good" way of inaffectively
contering the most common security threats to IT. Most of the time it
deliberate like a current or former employee selling secrets. Sometimes
it is a trojan that can just as easily monitor you typing "9732" or
"L+26h!q". And a lot of times it is just someone calling up on the phone
and your employees are chatter boxes.

I agree with that!

--
Phillip Windell
www.wandtv.com

The views expressed, are my own and not those of my employer, or Microsoft,
or anyone else associated with me, including my cats.
-----------------------------------------------------
 
P

Pegasus \(MVP\)

It's not psexec.exe that does the job in my suggestion - it's
schtasks.exe. I do not know any command that lets you change
the password for services but perhaps your search will turn up
something. If so then you could use psexec.exe once more to
launch this command on remote machines.
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Top