how riksy it is if i use domain admin account for AD sync and push agents? if i choose to save the admin password while doing AD sync server task, is the password stored somewhere, and how risky is this?
I'm sure McAfee encrypts the password before it's stored in the database. But you should always try the principle of least privilege. Why use a domain admin account for AD sync? You only need read access to AD, so any normal user account will do.
waiting for the thread that talks about the risk, however do you reommend using gpo or login secript to be away from the risk?
Password details are saved as AES256 hashes - however if you are concerned about saving the credentials you don't have to. (It just means you have to enter the credentials each time you want to push an agent.)
Joe, can you tell a bit more on this topic? As far as I know you should not be able to calculate the original value from a hashed password, in contrast to encrypted passwords, which can be decrypted (if you have the encryption key).
Cryptographic hashing is an enormous subject, a bit beyond the scope of this forum A quick Google shows some good introductory articles on the topic, though.
But yes, one of the main points of hashing is that it is a one-way function - there is no way to get the original password back from the hash.
Joe, I meant if you could tell us a bit more about how this is implemented in ePO. If only a password hash is stored, how can ePO use the original password for authentication?
The login process calculates the hash of the supplied password and compares it with the stored hash - if the hashes match then the passwords must also match.
This is a very common method of storing authentication details, and is by no means unique to ePO.
Seriously, Google for some introductions to cryptographic hashing, with respect to passwords - it will explain things far better than I can