4sysops - FREE: Passgen – Set unique administrator passwords on multiple machines

In my last post, I gave some advice on how to manage the built-in administrator account on desktops in a corporate network. Today, I will introduce a great tool, passgen, that was originally published in Steve Riley and Jesper Johansson’s book Protect Your Windows Network. Passgen has been available as a free download for some time now, and I think it can be of great help to secure the desktops in your network.

As I outlined in my previous post, using unique passwords for local administrators on all machines greatly improves security. Passgen is a command line tool that allows you to do just that remotely. All you need is a text file that contains a list of all computers in your network. Another option is to run the tool in a startup script.

The main idea of the tool is to create a unique password by using an identifier and a pass phrase. The identifier is just the computer name, which you can import from a text file. This part will always be the same whenever it is time to set a new password on all your machines. The pass phrase is the variable part, which you can change the next time you reset the password.

This command will generate a password and display it on the screen:

passgen –g <identifier> <pass phrase> -c <account name>

To change the password for an account, you would run this command:

passgen –g <identifier> <pass phrase> -c <account name> -m <machine name> -h

The <machine name> and the <identifier> will be the same in most cases. The optional parameter -h prevents the password from being printed on the screen.

This command imports the computer names from machines.txt and changes the password of the Administrator account on all these computers:

for /f %m in (machines.txt) do passgen -g %m myverysecretpassphrase -c Administrator -m %m –h

Please choose a better pass phrase than mine. Whenever you have to logon with a local admin account (preferably not the built-in Administrator account), then you have to use passgen with the machine’s name and the pass phrase to generate the password. The advantage of this method is that you don’t have to store the passwords. However, this might not be practicable in some environments.

Another option is to work with random passwords. For this you can use passgen’s parameter -r. This is the recommended method if you don’t intend to use this password, anyway (for example, if you just want to set a unique password for the built- in Administrator account):

for /f %m in (machines.txt) do passgen -r -c Administrator -m %m -h

However, if you really want to be able to logon using the Administrator account (or preferably another account with local admin rights), then you have to store the passwords in a text file:

for /f %m in (machines.txt) do passgen -r -c Administrator -m %m >> passwords.txt

passwords.txt will contain the list of all machines with their passwords. It is okay to save all passwords in a file if you encrypt it and keep it in a safe place. I recommend storing the file on a memory stick using TrueCrypt. Don’t store the file on a PC with network access! If you want more security, you can encrypt the file with LockNote in addition to TrueCrypt. However, you should then use two different pass phrases for TrueCrypt and LockNote. I also recommend reading my article about encrypting a memory stick.

passgen supports a few other useful parameters:

-l: password lengths

-e: character set (upper- and lowercase, alphanumeric characters, etc.)

-d: for managing service accounts

-s: for setting a specific password rather than generating one

Passgen’s manual explains all these parameters in detail.