Ah, I didn't understand, sorry.
We do have a package that does this internally.
The principle is as follows: we encrypt the new password using the public key of each machine stored in the wapt inventory.
Each workstation can then decrypt the password with its private key and apply it to the machine.
Note that the private key is only accessible by the local administrators of the workstation. Therefore, only the local administrators of the workstations will be able to read the password. This key pair is located in wapt\private\.
A MUCH cleaner method is to use laps
https://blogs.technet.microsoft.com/arn ... tion-laps/
Yes, because having the same local password for all machines is still not very clean...
Simon
[SOLVED] Clean way to exchange local passwords with WAPT?
Forum Rules
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
Community Forum Rules
* English support on www.reddit.com/r/wapt
* French community support is available on this forum
* Please prefix the topic title with [RESOLVED] if it is resolved.
* Please do not edit a topic that is tagged [RESOLVED]. Open a new topic referencing the old one.
* Specify the installed WAPT version, full version, and build number (2.2.1.11957 / 2.2.2.12337 / etc.) as well as the Enterprise/Discovery edition.
* Versions 1.8.2 and earlier are no longer supported. The only questions accepted regarding version 1.8.2 are related to upgrading to a supported version (2.1, 2.2, etc.).
* Specify the server OS (Linux/Windows) and version (Debian Buster/Bullseye - CentOS 7 - Windows Server 2012/2016/2019).
* Specify the OS of the administration/package creation machine and the machine with the problematic agent, if applicable (Windows 7/10/11/Debian 11/etc.).
* Avoid asking multiple questions when opening a topic, otherwise it may be ignored. If there are multiple topics, open separate topics, preferably one after the other and not all at the same time (i.e., do not spam the forum).
* Include code snippets, screenshots, and other images directly in the post. Links to Pastebin, Bitly, and other third-party sites will be systematically removed.
* As with any community forum, support is provided voluntarily by members. If you require commercial support, you can contact Tranquil IT's sales department at 02.40.97.57.55
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
-
dcardon
- WAPT Expert
- Messages: 1932
- Registration: June 18, 2014 - 09:58
- Location: Saint Sébastien sur Loire
- Contact :
Hello EricT,
Sincerely,
Denis
Could you explain how you do this with GPOs? I'd be interested to know how you do it in a "secure" way. Aside from LAPS, the only way I can think of is to reuse shared Kerberos hashes, which isn't particularly easy.
Sincerely,
Denis
Denis Cardon - Tranquil IT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
Share your experiences on WAPT! Send us your blog and article URLs in the "Your Opinion of the forum, and we'll feature them on the WAPT
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
Since the topic is interesting, I created a proof of concept (POC) of a WAPT version:
https://wapt.lesfourmisduweb.org/list_p ... de-in-wapt.
The principle is as follows: it's not good to have the same administrator password on all machines.
The package therefore generates a random password and assigns this password to the local administrator account.
It then encrypts this password with the package's certificate (the certificate of the person who created the package).
The password thus appears in encrypted form in the package's output in the console.
You can then read the machine's password using your private key with the `print_all_password` function.
We might look into integrating something into the console to quickly decrypt a package's output. This would allow sensitive data to be easily retrieved by a WAPT administrator.
Alternatively: https://wapt.lesfourmisduweb.org/list_p ... ypt-sample
https://wapt.lesfourmisduweb.org/list_p ... de-in-wapt.
The principle is as follows: it's not good to have the same administrator password on all machines.
The package therefore generates a random password and assigns this password to the local administrator account.
It then encrypts this password with the package's certificate (the certificate of the person who created the package).
The password thus appears in encrypted form in the package's output in the console.
You can then read the machine's password using your private key with the `print_all_password` function.
We might look into integrating something into the console to quickly decrypt a package's output. This would allow sensitive data to be easily retrieved by a WAPT administrator.
Alternatively: https://wapt.lesfourmisduweb.org/list_p ... ypt-sample
-
renaud.counhaye
- Messages: 31
- Registration: December 13, 2017 - 11:45
I'd like to propose an alternative solution because I have the same problem.
Having the same password for the admin session isn't ideal, but that's what we'd like for a 'secondary' account, not called 'Administrator'.
This account is on most of our machines with the same name, the only issue is that the passwords change depending on the account's creation date, and it's confusing.
There's no way to use a GPO or LPAS domain because some machines don't have a domain.
My idea is this: allow WAPT to manage encrypted/password-protected packets.
The file extension is changed to .waptx, and when the package is deployed, the server provides the client with the extraction code defined beforehand in the server's .ini file or during its setup.
This same code must be provided when performing an encrypted build-upload, in addition to the encryption key and the server admin password.
Alternatively, to simplify the process, the decryption extraction code could be the server admin code. However, this creates a security breach if the client-server communication can be read in plain text.
Therefore, when person X looks in their cache folder or repository and downloads/opens a .waptx file, they are prompted for a password.
This protects the packet's contents from prying eyes. ^__^
Regards,
Ren.
Having the same password for the admin session isn't ideal, but that's what we'd like for a 'secondary' account, not called 'Administrator'.
This account is on most of our machines with the same name, the only issue is that the passwords change depending on the account's creation date, and it's confusing.
There's no way to use a GPO or LPAS domain because some machines don't have a domain.
My idea is this: allow WAPT to manage encrypted/password-protected packets.
The file extension is changed to .waptx, and when the package is deployed, the server provides the client with the extraction code defined beforehand in the server's .ini file or during its setup.
This same code must be provided when performing an encrypted build-upload, in addition to the encryption key and the server admin password.
Alternatively, to simplify the process, the decryption extraction code could be the server admin code. However, this creates a security breach if the client-server communication can be read in plain text.
Therefore, when person X looks in their cache folder or repository and downloads/opens a .waptx file, they are prompted for a password.
This protects the packet's contents from prying eyes. ^__^
Regards,
Ren.
Renaud Counhaye,
Network Systems Technician,
Central Functions Division
, Ymagis Group
Network Systems Technician,
Central Functions Division
, Ymagis Group
-
sfonteneau
- WAPT Expert
- Messages: 2318
- Registered: July 10, 2014 - 11:52 PM
- Contact :
Have you tried this:
https://wapt.lesfourmisduweb.org/detail ... 4_all.wapt? Pressing
F9 in PyScript generates the encrypted text using each machine's public key. You'll find the encrypted text in the encrypt-txt.json file.
During installation, each machine will retrieve its Encrypt entry based on its UUID. It will then be able to decrypt the text with its private key.
In your example, the server becomes a sensitive asset since it possesses the password.
(Furthermore, this method wouldn't work for secondary repositories, which are simply HTTP servers.)
https://wapt.lesfourmisduweb.org/detail ... 4_all.wapt? Pressing
F9 in PyScript generates the encrypted text using each machine's public key. You'll find the encrypted text in the encrypt-txt.json file.
During installation, each machine will retrieve its Encrypt entry based on its UUID. It will then be able to decrypt the text with its private key.
In your example, the server becomes a sensitive asset since it possesses the password.
(Furthermore, this method wouldn't work for secondary repositories, which are simply HTTP servers.)
