cancel
Showing results for 
Search instead for 
Did you mean: 
web1b
Level 7

Add user account to all systems?

Jump to solution

In EEPC 7.0 Is there a way to automatically add a user account with a fixed password to all systems so IT support personell can always get past PBA without relying on the end user to log in for them?

0 Kudos
1 Solution

Accepted Solutions
SafeBoot
Level 21

Re: Add user account to all systems?

Jump to solution

Very bad idea. Just add all the engineers to all machines instead.

0 Kudos
30 Replies
SafeBoot
Level 21

Re: Add user account to all systems?

Jump to solution

Very bad idea. Just add all the engineers to all machines instead.

0 Kudos
web1b
Level 7

Re: Add user account to all systems?

Jump to solution

The reason we want to use an account with a fixed password is because some laptops may be away from the domain for long periods of time.

When the laptop comes back, it would have a cached PBA password that would be very old and the IT staff would not be able to authenticate through PBA if they don't remember all their previous passwords and enter the correct old password before being locked out.

Since we would not be able to get to Windows without going through PBA, does EEPC have a way to sync accounts to the current password without booting into Windows first?

0 Kudos
Timmah
Level 11

Re: Add user account to all systems?

Jump to solution

In situations like this, using recovery would be far more preferable than leaving a gaping hole in your estate, no?

0 Kudos
web1b
Level 7

Re: Add user account to all systems?

Jump to solution

It would be an account that had no rights to do anything except authenticate PBA on a specific group of laptops.  Needing to do recovery everytime the staff needed to work on a laptop that had been away from the network for several weeks/months would not be practical.

0 Kudos
Timmah
Level 11

Re: Add user account to all systems?

Jump to solution

Having a shared account with a fixed (and shared) password is a big risk. Even more-so when machines are left unsync'd for long periods of time, since there's no way to reset those credentials on all assets in the case of a breach/loss of those credentials.

Getting through PBA is essentially "everything" for us. The product is rendered useless if you're willing to hand out free "get through PBA" cards. Hence, we recommend going the recovery route, since rogue users would have to jump through extra hoops to get access.

Ultimately, you can assign a user to the root with a known password with the existing product today. But it's not at all recommended. The risks are too high.

0 Kudos
web1b
Level 7

Re: Add user account to all systems?

Jump to solution

I thought you meant the tech would need to do a  challenge/response recovery if their current password was not cached on the laptop. I forgot about recovery questions.

Do the recovery answers automatically sync to every computer with their user account?

Also, if there is a policy to bypass PBA when computers are on the local network, would that be an alternative way assuming the laptop had a working network connection?  I don't understand how that would work though since don't you need to get past PBA before the networking starts?

0 Kudos
Timmah
Level 11

Re: Add user account to all systems?

Jump to solution

Any of the recovery options is preferable to shared credentials (IMO).

As for your second question, folivier has already answered your post on another thread: https://community.mcafee.com/message/277670#277670

Cheers,

Tim

0 Kudos
web1b
Level 7

Re: Add user account to all systems?

Jump to solution

That is of limited value because it is only possible on a vPro system and assumes you also have Deep Command deployed in your environment.

There are some other prodicts where this can be done all within the encryption product by pinging some key IP addresses before the Windows login promptis presented.  If it is unable to reach those IPs, the system shuts down and takes the user back to the PBA screen.  No special hardware requirements needed.

0 Kudos
Timmah
Level 11

Re: Add user account to all systems?

Jump to solution

We deliberately avoid having a network stack in our preboot environment, to plug the many potential security holes that inherently come along with network stacks. The vPro chip allows for a secure channel at a hardware level.

The mechanism you describe sounds like little more than a gimmick ; I steal your laptop, plug it into my own network, sniff the ping requests, then configure device(s) to respond. Failing that, I'll start scouring the disk for the machine key that'll be written on it somewhere

0 Kudos