AD Startup Script Containing Password

B

Baboon

Hello -

I have a batch file that runs a dsmove command that needs authentication of
a user that has control of 2 very small OUs. I happen to be that user, so
the batch file contains my password. I want to run this as a machine startup
script. For testing, I temporarily put this in the respective subfolder of
Sysvol and I removed my password after every testing session. However, I
also changed the permissions to the batch file to:
System - Full
Me - Full
Domain Computers - Full
Enterprise Domain Controllers - Full

I realize a Domain Admin would be able to him/herself access if they wanted
to. Other than that, is there any risk with the above permissions? I don't
see how there could be, but I may be missing something.

By the way, before putting this into production, I will delegate control of
the OUs to a service account and use those credentials in the batch file
instead of mine.

Thanks.
 
R

Roger Abell [MVP]

If I am aware that the script exists then I can simply start up
cmd running in the local system context and then net use to
map sysvol and get a copy of your batch file. Anyone with
admin or power user login at any domain joined machine
would be able to do that.

Roger

"Baboon" <baboon@news.postalias> wrote in message
news:BAD0BF9D-3231-4B94-B168-F30B33253BF1@microsoft.com...
> Hello -
>
> I have a batch file that runs a dsmove command that needs authentication
> of
> a user that has control of 2 very small OUs. I happen to be that user, so
> the batch file contains my password. I want to run this as a machine
> startup
> script. For testing, I temporarily put this in the respective subfolder
> of
> Sysvol and I removed my password after every testing session. However, I
> also changed the permissions to the batch file to:
> System - Full
> Me - Full
> Domain Computers - Full
> Enterprise Domain Controllers - Full
>
> I realize a Domain Admin would be able to him/herself access if they
> wanted
> to. Other than that, is there any risk with the above permissions? I
> don't
> see how there could be, but I may be missing something.
>
> By the way, before putting this into production, I will delegate control
> of
> the OUs to a service account and use those credentials in the batch file
> instead of mine.
>
> Thanks.
 
B

Baboon

Right. I should have thought of that. All you would have to do is to get a
machine to do the work for you. For example, a scheduled task of a batch
file that simply uses the copy command to copy the batch file to the local
machine, running as System.

Thanks for pointing that out.

"Roger Abell [MVP]" wrote:

> If I am aware that the script exists then I can simply start up
> cmd running in the local system context and then net use to
> map sysvol and get a copy of your batch file. Anyone with
> admin or power user login at any domain joined machine
> would be able to do that.
>
> Roger
>
> "Baboon" <baboon@news.postalias> wrote in message
> news:BAD0BF9D-3231-4B94-B168-F30B33253BF1@microsoft.com...
> > Hello -
> >
> > I have a batch file that runs a dsmove command that needs authentication
> > of
> > a user that has control of 2 very small OUs. I happen to be that user, so
> > the batch file contains my password. I want to run this as a machine
> > startup
> > script. For testing, I temporarily put this in the respective subfolder
> > of
> > Sysvol and I removed my password after every testing session. However, I
> > also changed the permissions to the batch file to:
> > System - Full
> > Me - Full
> > Domain Computers - Full
> > Enterprise Domain Controllers - Full
> >
> > I realize a Domain Admin would be able to him/herself access if they
> > wanted
> > to. Other than that, is there any risk with the above permissions? I
> > don't
> > see how there could be, but I may be missing something.
> >
> > By the way, before putting this into production, I will delegate control
> > of
> > the OUs to a service account and use those credentials in the batch file
> > instead of mine.
> >
> > Thanks.
>
>
>
 
M

Morgan che

Dear customer,

Thanks for your posting here.

Officially, it is not recommended to run a batch file with your credential
as startup/logon script. It may disclose your password. As you know, other
users may get it through accessing the batch file. Even though all users
accessing this batch files are trustable, password transmission in the
format of clear text also has exposure risk.

If this task is necessary, you can code an application which encrypts your
credentials in a more secure way. Or you can consider other methods to
avoid exposure of your credentials in production environment.

Hope this helps. If there is anything unclear, please feel free to let me
know.

Have a nice day!

Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.
 
B

Baboon

Thanks.
We have changed things a bit:

We will use a service account for this purpose only.
That account will have its credentials in the batch file instead of a real
user's credentials.
We will still use a startup script sitting in sysvol, but it will only call
the aforementioned batch file.
The batch file will sit on a file server to which no users other than myself
have access, and to which only about 4 computers at a time (via group
membership) will have access.
Those computers will not be used by anyone other than the 6 of us who will
be doing the deployments.

"Morgan che(MSFT)" wrote:

>
> Dear customer,
>
> Thanks for your posting here.
>
> Officially, it is not recommended to run a batch file with your credential
> as startup/logon script. It may disclose your password. As you know, other
> users may get it through accessing the batch file. Even though all users
> accessing this batch files are trustable, password transmission in the
> format of clear text also has exposure risk.
>
> If this task is necessary, you can code an application which encrypts your
> credentials in a more secure way. Or you can consider other methods to
> avoid exposure of your credentials in production environment.
>
> Hope this helps. If there is anything unclear, please feel free to let me
> know.
>
> Have a nice day!
>
> Sincerely
> Morgan Che
> Microsoft Online Support
> Microsoft Global Technical Support Center
>
> Get Secure! - www.microsoft.com/security
> =====================================================
> When responding to posts, please "Reply to Group" via your newsreader so
> that others may learn and benefit from your issue.
> =====================================================
> This posting is provided "AS IS" with no warranties, and confers no rights.
>
>
>
 
M

Morgan che

Dear Customer,

Thanks for your feedback and additional comments.

It is my pleasure to work with you on this issue. Hope to hear from you
again in newsgroup.

Regards,

Sincerely
Morgan Che
Microsoft Online Support
Microsoft Global Technical Support Center

Get Secure! - www.microsoft.com/security
=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.


--------------------
--->Thread-Topic: AD Startup Script Containing Password
--->thread-index: AchCcuT/dVd+n4WvQkW+sBRSpzJdUQ==
--->X-WBNR-Posting-Host: 207.46.193.207
--->From: =?Utf-8?B?QmFib29u?= <baboon@news.postalias>
--->References: <BAD0BF9D-3231-4B94-B168-F30B33253BF1@microsoft.com>
<GAb4y3JQIHA.4200@TK2MSFTNGHUB02.phx.gbl>
--->Subject: RE: AD Startup Script Containing Password
--->Date: Wed, 19 Dec 2007 11:11:01 -0800
--->Lines: 50
--->Message-ID: <132285CA-535F-4837-B3BC-F27291DD3D88@microsoft.com>
--->MIME-Version: 1.0
--->Content-Type: text/plain
---> charset="Utf-8"
--->Content-Transfer-Encoding: 7bit
--->X-Newsreader: Microsoft CDO for Windows 2000
--->Content-Class: urn:content-classes:message
--->Importance: normal
--->Priority: normal
--->X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2992
--->Newsgroups: microsoft.public.security
--->Path: TK2MSFTNGHUB02.phx.gbl
--->Xref: TK2MSFTNGHUB02.phx.gbl microsoft.public.security:5911
--->NNTP-Posting-Host: tk2msftibfm01.phx.gbl 10.40.244.149
--->X-Tomcat-NG: microsoft.public.security
--->
--->Thanks.
--->We have changed things a bit:
--->
--->We will use a service account for this purpose only.
--->That account will have its credentials in the batch file instead of a
real
--->user's credentials.
--->We will still use a startup script sitting in sysvol, but it will only
call
--->the aforementioned batch file.
--->The batch file will sit on a file server to which no users other than
myself
--->have access, and to which only about 4 computers at a time (via group
--->membership) will have access.
--->Those computers will not be used by anyone other than the 6 of us who
will
--->be doing the deployments.
--->
--->"Morgan che(MSFT)" wrote:
--->
--->>
--->> Dear customer,
--->>
--->> Thanks for your posting here.
--->>
--->> Officially, it is not recommended to run a batch file with your
credential
--->> as startup/logon script. It may disclose your password. As you know,
other
--->> users may get it through accessing the batch file. Even though all
users
--->> accessing this batch files are trustable, password transmission in
the
--->> format of clear text also has exposure risk.
--->>
--->> If this task is necessary, you can code an application which encrypts
your
--->> credentials in a more secure way. Or you can consider other methods
to
--->> avoid exposure of your credentials in production environment.
--->>
--->> Hope this helps. If there is anything unclear, please feel free to
let me
--->> know.
--->>
--->> Have a nice day!
--->>
--->> Sincerely
--->> Morgan Che
--->> Microsoft Online Support
--->> Microsoft Global Technical Support Center
--->>
--->> Get Secure! - www.microsoft.com/security
--->> =====================================================
--->> When responding to posts, please "Reply to Group" via your newsreader
so
--->> that others may learn and benefit from your issue.
--->> =====================================================
--->> This posting is provided "AS IS" with no warranties, and confers no
rights.
--->>
--->>
--->>
--->
 
You must log in or register to reply here.

Similar threads

S
Logon batch or Startup script in 365
Replies
0
Views
33
Steve Gwynne
S
C
Multiple OUs Not Syncing to Entra Despite Azure AD Connect Configuration
Replies
0
Views
31
Carter Wright1
C
L
can you define the process to delegate sufficient permissions to a domain service account, that will allow it to perform the tasks of software deploym
Replies
0
Views
24
Leo Manyatis
L
E
Unable to promote a new DC
Replies
0
Views
71
Emilio MartínAlvarado
E
D
AD Password Change- Password does not meet requirements
Replies
0
Views
11
David Galway
D
Back
Top Bottom