Managing password resets for local admin

[rolling moses]

Not sure exactly where to post this thread, so please move, if necessary. Here's my problem:

I work for a large company with offices all over North America. We have hundreds of printers and scanners. I have proposed to the security team that we come up with a password policy for these devices. The issue is that the sheer scale of the password update project is massive (from my own, inexperienced perspective). Updating the local admin password on all these devices will take significant man hours. I haven't found a solution online to possibly script the changes and send commands through SSH/PuTTY, or something over the network. The closest I found was someone who had created a VBS script, but it won't work in our environment. Do any of you have experience here that could share your process? I'm praying there's a nice, convenient way to centrally manage the passwords, but I have come up empty so far.

 

[Kursah]

Need more clarification on the matter, from what I'm seeing you're asking if you can somewhat automate managing passwords on hundreds of printers, scanners, mfp's. Without more details such as what brand(s) and model(s) you're using, confirming the capabilities of account management for those, we can speculate and make suggestions but they might not be as helpful as you'd like.

With some of those devices, finding out if they're tied to RADIUS or LDAP and if you're also taking advantage of security group assignments, that would be vastly more helpful. Then at that point if you're utilizing access privileges and restrictions based on security groups for devices to manage who even has authorized access. I would assume a company that size is likely running with all of those in-place, but you know what they say about ASSumptions.

Beyond that setting an extremely complex password for the default admin or disabling that account and creating a uniquely named account that only you and your security team know would be the way to go as well. Would still be a lot of manual work, and not sure what you can truly do to avoid that, so make the manual changes really count for something where you can. Security management in IT isn't easy, and access control is one of those things that takes a lot more involvement at various stages to do and execute correctly.

I'd say make the account name changes, make the password 64+ chars long, and perform annual or bi-annual changes as needed. Again, hopefully as-far-as user access-control, you're able to take advantage of a directory sync service and manage access from a print server with security groups.

 

[rolling moses]

Thanks for your reply! I haven't been involved in the access management of the printers before, so I can't say for sure what has been done. From what I can tell, those networked access services are not in place. A 3rd-party printer management and deployment service is used, not a Windows print server, so I do not believe there are even objects for those devices in Active Directory. Along those same lines, I don't believe there are RADIUS/LDAP services used, either. I'm just a lowly helpdesk agent, so what do I know . I saw the bleeding wound and said something should be done about it. I'm learning as I go about what's already in place and what isn't, and now I'm hoping to find a practical solution, but this will be a good experience for me either way. My first concern is securing the local admin account on these devices.

As far as devices, they are wide ranging as the company has grown quite a bit due to acquisitions (which also complicates things). We have HP, Brother, Xerox, Konica Minolta, and a few other brands out there.

 

[Kursah]

Without knowing how things are integrated, if they are, or how they are, especially for current access control privileges and restrictions, you're really at odds for deploying anything useful to your managed infrastructure.

Maybe you can work with one of the security division's engineers to obtain that information if you have reached a level of trust and the task for what you're doing is something you should be officially taking care of. In that case, you need to be at least privy to what solutions are being utilized for user account management, security, and access, what third party print management service(s) are in-use, etc.

The issue here is if you're access is limited, your knowledge of the infrastructure and deployed solutions is limited, it'll be nigh impossible to provide a consistent usable solution that will even work for your site's needs and requirements. That puts you at a major disadvantage, so hopefully you can work with someone that does have that knowledge.

As I suggested above with printers, sounds like unless the software can moderate access on the default admin/access account, you'll be faced with manual access of each device to manage them appropriately. At which point doing what I suggested above might make sense, it also might help to task an individual at each site with taking care of this task to break it down into manageable chunks.

Some devices allow or offer centralized management, but not knowing if what your site has deployed all are able to use that or if the third party management for printers and scanners is merely for access control, print count limitation, etc. or if it also allows device account modifications as well again leaves you at a disadvantage.

In security, knowledge is key. You have to know how a site is deployed, managed and ultimately used. Without that knowledge coming up with an appropriate account management solution that you can actually execute beyond a written proposal won't happen. I am curious exactly what they expect from you here if anything beyond a written proposal or maybe they want you to find out what they already know?

Either way, sounds like you need to know more about what you're working with to get to the end result you seek in an appropriate fashion.

 

[rolling moses]

Without knowing how things are integrated, if they are, or how they are, especially for current access control privileges and restrictions, you're really at odds for deploying anything useful to your managed infrastructure.

Maybe you can work with one of the security division's engineers to obtain that information if you have reached a level of trust and the task for what you're doing is something you should be officially taking care of. In that case, you need to be at least privy to what solutions are being utilized for user account management, security, and access, what third party print management service(s) are in-use, etc.

The issue here is if you're access is limited, your knowledge of the infrastructure and deployed solutions is limited, it'll be nigh impossible to provide a consistent usable solution that will even work for your site's needs and requirements. That puts you at a major disadvantage, so hopefully you can work with someone that does have that knowledge.

As I suggested above with printers, sounds like unless the software can moderate access on the default admin/access account, you'll be faced with manual access of each device to manage them appropriately. At which point doing what I suggested above might make sense, it also might help to task an individual at each site with taking care of this task to break it down into manageable chunks.

Some devices allow or offer centralized management, but not knowing if what your site has deployed all are able to use that or if the third party management for printers and scanners is merely for access control, print count limitation, etc. or if it also allows device account modifications as well again leaves you at a disadvantage.

In security, knowledge is key. You have to know how a site is deployed, managed and ultimately used. Without that knowledge coming up with an appropriate account management solution that you can actually execute beyond a written proposal won't happen. I am curious exactly what they expect from you here if anything beyond a written proposal or maybe they want you to find out what they already know?

Either way, sounds like you need to know more about what you're working with to get to the end result you seek in an appropriate fashion.

Well, that certainly gives me something to go off of. My team technically "owns" the support on these devices, so it's important to know the access management strategy going forward. From what I am hearing, there really wasn't one beyond manually logging onto each device and adjusting configs. No matter my access, my goal is to affect a positive change that will ultimately leave the overall infrastructure more secure.

Thanks again for your insights.

 

[Solaris17]

Well, that certainly gives me something to go off of. My team technically "owns" the support on these devices, so it's important to know the access management strategy going forward. From what I am hearing, there really wasn't one beyond manually logging onto each device and adjusting configs. No matter my access, my goal is to affect a positive change that will ultimately leave the overall infrastructure more secure.

Thanks again for your insights.

Can you ping these VIA DNS? from a central server? like

ping Desktop-1

TBH it looks like @Kursah addressed most of the issues. Realistically even IF there was a way to change the passwords remotely while I appreciate as a help desk tech your willingness to address a glaring issue it is the wrong first step. It looks like the system admins have alot of work ahead of them and maybe you could gently spearhead a campaign to get those units connected to the domain in active directory because right now you are trying to flavor water in a pool and not the bottles.

These PCs need to be part of the forest ASAP so they can be properly managed.

 

[rolling moses]

Yes, I can ping the printers by name. I have scheduled a meeting for next week so we can take a step back and try to look at the big picture. I really need to get more info at this point.