I have a client who has a Microsoft Windows Small Business Server 2003 system on his network and he is asking me to compile a list of his users’ passwords. The problem is that even with administrator access to the server, I can’t see the employees’ passwords. I informed him of this and gave him these 3 options as to how he can achieve such a list.

1. He can ask his employees for their passwords and compile the list himself.
2. I can create the list and adjust the users’ settings so they can’t change their passwords. I can then give them new ones.
3. The most secretive way is to perform a brute force attack within the server to attempt to discover the employees passwords. I would then create the list. If they change their passwords, I will have to perform another brute force attack.

There are problems with each of these solutions and I will go about them in the same order.

1. Asking the employees for their passwords could make them feel as though they aren’t trusted and cause a feeling of resentment. It could also compromise the users’ passwords for other accounts which is a complete lack of security.
2. If we state that we are changing the security policy and give the employees new passwords, it is a policy change and they have to accept that. Fortunately that would not compromise the employees’ passwords for other accounts.
3. The brute force attack is costly. What it entails is essentially hacking his own employees accounts on his own server. It takes time to do this and if the employees find out, their trust in the company could suffer. And like the first scenario of asking for the passwords, this may end up in compromising employees’ passwords for other their accounts.

My professional recommendation is to go with option number 2 because it has the fewest security options, is inexpensive and will create the least distrust within the company.

Having a Microsoft Windows 2003 Small Business Server on your network is a great way to increase the security and effectiveness of your small business computer network. It has many options to increase your network security. These options include maximum password life, minimum password complexity, how often you can reuse your passwords and in the event that you forget a password, the administrator can easily reset it. The administrator can’t see the employees’ passwords but they can reset them to something new.

I hope this helps.

Happy computing,
Tim

Biden PC is a Computer Network Consulting Company.