• We've upgraded our forums. Please post any issues/requests in this thread.

Managing password resets for local admin

Joined
Jun 24, 2013
Messages
10 (0.01/day)
Likes
0
#1
Not sure exactly where to post this thread, so please move, if necessary. Here's my problem:

I work for a large company with offices all over North America. We have hundreds of printers and scanners. I have proposed to the security team that we come up with a password policy for these devices. The issue is that the sheer scale of the password update project is massive (from my own, inexperienced perspective). Updating the local admin password on all these devices will take significant man hours. I haven't found a solution online to possibly script the changes and send commands through SSH/PuTTY, or something over the network. The closest I found was someone who had created a VBS script, but it won't work in our environment. Do any of you have experience here that could share your process? I'm praying there's a nice, convenient way to centrally manage the passwords, but I have come up empty so far.
 

Kursah

Moderator
Staff member
Joined
Oct 15, 2006
Messages
10,941 (2.68/day)
Likes
5,048
Location
Missoula, MT, USA
System Name Kursah's Gaming Rig - Haswell Edition | Spartan Home Server 2015
Processor i7 4790k 4.0/4.8 @ 1.26v | i7 4790k 4.0/4.4 @ 1.18v - Both delidded w/CLU
Motherboard Asus Z87-Pro - BIOS 2103 | Asus Z87-Pro - BIOS 2103
Cooling Noctua NH-U14S Push-Pull | Cooler Master 212 EVO Stock - Using NT-H1 and AC MX-4
Memory 16GB (2x8) Corsair Dominator DDR3 2400 CL11 | 32GB (4x8) G.Skill DDR3-1600 CL9
Video Card(s) MSI GTX980 Ti Gaming 6G LE @ Stock | Onboard Intel HD 4600
Storage 850EVO 250GB SSD, 960GB SSD, 1x2TB | 840 120GB SSD, RAID10 6x2TB (6TB) + 8TB Backup
Display(s) Samsung 32" TV IPS 1080p, Dell 23" U2312HM IPS 1080p | 19" 4:3 Dell LCD..mostly RDP.
Case Corsair 600C - Stock Fans on Low | Lian Li Lancool PC-K7 - Cougar fans
Audio Device(s) Aune T1 mk1 > AKG K553 Pro + HiFiMAN HE-350 (Equalizer APO + PeaceUI) | Realtek ALC1150
Power Supply EVGA 750G2 Modular + APC 1500VA UPS | EVGA KR500 80+ Bronze + CyberPowerPC 1000VA UPS
Mouse Logitech G502 | Dell USB Laser Mouse
Keyboard Logitech G15 rv2 | Dell USB Keyboard
Software Windows 10 Pro x64 | Windows Server 2012 R2 (GUI Core,Hyper-V + VMs)
#2
Need more clarification on the matter, from what I'm seeing you're asking if you can somewhat automate managing passwords on hundreds of printers, scanners, mfp's. Without more details such as what brand(s) and model(s) you're using, confirming the capabilities of account management for those, we can speculate and make suggestions but they might not be as helpful as you'd like.

With some of those devices, finding out if they're tied to RADIUS or LDAP and if you're also taking advantage of security group assignments, that would be vastly more helpful. Then at that point if you're utilizing access privileges and restrictions based on security groups for devices to manage who even has authorized access. I would assume a company that size is likely running with all of those in-place, but you know what they say about ASSumptions. ;)

Beyond that setting an extremely complex password for the default admin or disabling that account and creating a uniquely named account that only you and your security team know would be the way to go as well. Would still be a lot of manual work, and not sure what you can truly do to avoid that, so make the manual changes really count for something where you can. Security management in IT isn't easy, and access control is one of those things that takes a lot more involvement at various stages to do and execute correctly.

I'd say make the account name changes, make the password 64+ chars long, and perform annual or bi-annual changes as needed. Again, hopefully as-far-as user access-control, you're able to take advantage of a directory sync service and manage access from a print server with security groups.
 
Joined
Jun 24, 2013
Messages
10 (0.01/day)
Likes
0
#3
Thanks for your reply! I haven't been involved in the access management of the printers before, so I can't say for sure what has been done. From what I can tell, those networked access services are not in place. A 3rd-party printer management and deployment service is used, not a Windows print server, so I do not believe there are even objects for those devices in Active Directory. Along those same lines, I don't believe there are RADIUS/LDAP services used, either. I'm just a lowly helpdesk agent, so what do I know ;). I saw the bleeding wound and said something should be done about it. I'm learning as I go about what's already in place and what isn't, and now I'm hoping to find a practical solution, but this will be a good experience for me either way. My first concern is securing the local admin account on these devices.

As far as devices, they are wide ranging as the company has grown quite a bit due to acquisitions (which also complicates things). We have HP, Brother, Xerox, Konica Minolta, and a few other brands out there.
 

Kursah

Moderator
Staff member
Joined
Oct 15, 2006
Messages
10,941 (2.68/day)
Likes
5,048
Location
Missoula, MT, USA
System Name Kursah's Gaming Rig - Haswell Edition | Spartan Home Server 2015
Processor i7 4790k 4.0/4.8 @ 1.26v | i7 4790k 4.0/4.4 @ 1.18v - Both delidded w/CLU
Motherboard Asus Z87-Pro - BIOS 2103 | Asus Z87-Pro - BIOS 2103
Cooling Noctua NH-U14S Push-Pull | Cooler Master 212 EVO Stock - Using NT-H1 and AC MX-4
Memory 16GB (2x8) Corsair Dominator DDR3 2400 CL11 | 32GB (4x8) G.Skill DDR3-1600 CL9
Video Card(s) MSI GTX980 Ti Gaming 6G LE @ Stock | Onboard Intel HD 4600
Storage 850EVO 250GB SSD, 960GB SSD, 1x2TB | 840 120GB SSD, RAID10 6x2TB (6TB) + 8TB Backup
Display(s) Samsung 32" TV IPS 1080p, Dell 23" U2312HM IPS 1080p | 19" 4:3 Dell LCD..mostly RDP.
Case Corsair 600C - Stock Fans on Low | Lian Li Lancool PC-K7 - Cougar fans
Audio Device(s) Aune T1 mk1 > AKG K553 Pro + HiFiMAN HE-350 (Equalizer APO + PeaceUI) | Realtek ALC1150
Power Supply EVGA 750G2 Modular + APC 1500VA UPS | EVGA KR500 80+ Bronze + CyberPowerPC 1000VA UPS
Mouse Logitech G502 | Dell USB Laser Mouse
Keyboard Logitech G15 rv2 | Dell USB Keyboard
Software Windows 10 Pro x64 | Windows Server 2012 R2 (GUI Core,Hyper-V + VMs)
#4
Without knowing how things are integrated, if they are, or how they are, especially for current access control privileges and restrictions, you're really at odds for deploying anything useful to your managed infrastructure.

Maybe you can work with one of the security division's engineers to obtain that information if you have reached a level of trust and the task for what you're doing is something you should be officially taking care of. In that case, you need to be at least privy to what solutions are being utilized for user account management, security, and access, what third party print management service(s) are in-use, etc.

The issue here is if you're access is limited, your knowledge of the infrastructure and deployed solutions is limited, it'll be nigh impossible to provide a consistent usable solution that will even work for your site's needs and requirements. That puts you at a major disadvantage, so hopefully you can work with someone that does have that knowledge.

As I suggested above with printers, sounds like unless the software can moderate access on the default admin/access account, you'll be faced with manual access of each device to manage them appropriately. At which point doing what I suggested above might make sense, it also might help to task an individual at each site with taking care of this task to break it down into manageable chunks.

Some devices allow or offer centralized management, but not knowing if what your site has deployed all are able to use that or if the third party management for printers and scanners is merely for access control, print count limitation, etc. or if it also allows device account modifications as well again leaves you at a disadvantage.

In security, knowledge is key. You have to know how a site is deployed, managed and ultimately used. Without that knowledge coming up with an appropriate account management solution that you can actually execute beyond a written proposal won't happen. I am curious exactly what they expect from you here if anything beyond a written proposal or maybe they want you to find out what they already know?

Either way, sounds like you need to know more about what you're working with to get to the end result you seek in an appropriate fashion. :toast:
 
Joined
Jun 24, 2013
Messages
10 (0.01/day)
Likes
0
#5
Without knowing how things are integrated, if they are, or how they are, especially for current access control privileges and restrictions, you're really at odds for deploying anything useful to your managed infrastructure.

Maybe you can work with one of the security division's engineers to obtain that information if you have reached a level of trust and the task for what you're doing is something you should be officially taking care of. In that case, you need to be at least privy to what solutions are being utilized for user account management, security, and access, what third party print management service(s) are in-use, etc.

The issue here is if you're access is limited, your knowledge of the infrastructure and deployed solutions is limited, it'll be nigh impossible to provide a consistent usable solution that will even work for your site's needs and requirements. That puts you at a major disadvantage, so hopefully you can work with someone that does have that knowledge.

As I suggested above with printers, sounds like unless the software can moderate access on the default admin/access account, you'll be faced with manual access of each device to manage them appropriately. At which point doing what I suggested above might make sense, it also might help to task an individual at each site with taking care of this task to break it down into manageable chunks.

Some devices allow or offer centralized management, but not knowing if what your site has deployed all are able to use that or if the third party management for printers and scanners is merely for access control, print count limitation, etc. or if it also allows device account modifications as well again leaves you at a disadvantage.

In security, knowledge is key. You have to know how a site is deployed, managed and ultimately used. Without that knowledge coming up with an appropriate account management solution that you can actually execute beyond a written proposal won't happen. I am curious exactly what they expect from you here if anything beyond a written proposal or maybe they want you to find out what they already know?

Either way, sounds like you need to know more about what you're working with to get to the end result you seek in an appropriate fashion. :toast:

Well, that certainly gives me something to go off of. My team technically "owns" the support on these devices, so it's important to know the access management strategy going forward. From what I am hearing, there really wasn't one beyond manually logging onto each device and adjusting configs. No matter my access, my goal is to affect a positive change that will ultimately leave the overall infrastructure more secure.

Thanks again for your insights.
 

Solaris17

Creator Solaris Utility DVD
Joined
Aug 16, 2005
Messages
19,262 (4.28/day)
Likes
6,071
Location
Florida
System Name Not named yet
Processor I5 7640x 5Ghz 24/7
Motherboard MSI x299 Tomahawk Arctic
Cooling Corsair H55
Memory 32GB Corsair DDR4 3000mhz
Video Card(s) Gigabyte 1080TI
Storage 2x Seagate 3TB Drives (RAID 0) 1x Seagate 256GB SSD 1x Adata 120GB SSD
Display(s) 3x AOC Q2577PWQ
Case Inwin 303 White (Thermaltake Ring 120mm Purple accent)
Audio Device(s) Onboard on Audio-Technica ATH-AG1
Power Supply Seasonic 1050W Snow
Mouse Roccat Tyon White
Keyboard Ducky Shine 6
Software Windows 10 x64 Pro
#6
Well, that certainly gives me something to go off of. My team technically "owns" the support on these devices, so it's important to know the access management strategy going forward. From what I am hearing, there really wasn't one beyond manually logging onto each device and adjusting configs. No matter my access, my goal is to affect a positive change that will ultimately leave the overall infrastructure more secure.

Thanks again for your insights.
Can you ping these VIA DNS? from a central server? like
Code:
ping Desktop-1
TBH it looks like @Kursah addressed most of the issues. Realistically even IF there was a way to change the passwords remotely while I appreciate as a help desk tech your willingness to address a glaring issue it is the wrong first step. It looks like the system admins have alot of work ahead of them and maybe you could gently spearhead a campaign to get those units connected to the domain in active directory because right now you are trying to flavor water in a pool and not the bottles.

These PCs need to be part of the forest ASAP so they can be properly managed.
 
Last edited:
Joined
Jun 24, 2013
Messages
10 (0.01/day)
Likes
0
#7
Yes, I can ping the printers by name. I have scheduled a meeting for next week so we can take a step back and try to look at the big picture. I really need to get more info at this point.