Open cluck opened 6 years ago
Hello,
You are absolutely right.
On the other hand Winadminpassword is not a security-oriented tool but rather a simplification of the administration. Indeed, rather than manage a database of passwords that will never be up to date and difficult to secure, I prefer to manage a unique key and algorithm for creating the password. On the security aspect, I have only to take care of the protection of this unique key and the algorithm.
How do you configure your administration accounts (BIOS, GNU Linux / root BSD, Windows administrator etc.)? Do you deploy the same everywhere? Do you use Microsoft LAPS (Active Directory only, and not yet Azure AD)?
Many thanks for your issue, because it is very important to remember that Winadminpassword is not security oriented, and just a tool for sysadmins who have to think about managing security around the key.
Regards,
Nicolas
This is the same as having the same password on all machines. The weak spot of this design is that you're going to broadly distribute the central secret on which everything depends on, plaintext. Thus the final passwords are all related to each other, and trivial to compute. You either have to chat with a server or seed all system images and build scripts individually. Otherwise it is pure obfuscation, not security.
A well protected central database with independent passwords is way more secure. This is what Kerberos is about, and it comes in every mayor Domain Controller product like Samba 4, Active Directory, FreeIPA etc.