Thank you for being a valued part of the CNET community. As of December 1, 2020, the forums are in read-only format. In early 2021, CNET Forums will no longer be available. We are grateful for the participation and advice you have provided to one another over the years.

Thanks,

CNET Support

Question

One-time password solutions?

Aug 18, 2012 5:57AM PDT

Hello,

Does anyone know any software that implements one-time password options? Here is my situation:

Some guest computers access resources on the file/print server (runs Windows XP). In order to access the resources on the network, they must enter the guest account and password. Because only I know it, I enter it for them.

The risk is that when I enter the password, the guest computer could have malicious software that stores the password for later use. By having the password change every time they log off, it would be difficult to gain unauthorized access.

How do I apply OTP to this situation? Thank you.

Discussion is locked

- Collapse -
Answer
Is This A Daily Occurance?
Aug 19, 2012 9:07AM PDT

The problem with allowing server access to outside computers is it creates a big security problem.. With critical data, most organizations don't allow such. In the government agency that I worked for, only individuals with network user credentials had the option to access the network and any file/print computers, and they could ONLY use our own networked computers. In addition, we identified SPECIFIC printers or folders which were required for each user and set up sharing so only that SPECIFIC user could access the desired printer or folder. They couldn't simply roam around at will on the server.

Unfortunately, you don't mention how often this occurs...with how many different users.... whether these are stationary or mobile computers, etc. It all makes a difference. And unfortunately, if you install a program that updates a password each time a guest logs off, it because almost impossible for the network admin (YOU) to keep track of any password changes. If the access is only occasional, and you have admin rights, you could change the password immediately after each use by an outside guest. It's also important to make sure the guest computers only have "read" access and not "read/write" when setting up sharing.. If the require "read/write", then you better make sure the guests are well documented and accounted for.

Hope this helps.

Grif

- Collapse -
I'll clarify.
Aug 19, 2012 11:18AM PDT

The majority of the computers are mobile. Usually the guest requests access at least once every day. In order to access the printer, they have to connect to the file/print server. They have to log on to an account labeled "guest-print". Once logged on, they are given access to the printer only. The only permission that is allowed is "print".

- Collapse -
If They Can Only Print, Is There Really An Issue?
Aug 20, 2012 3:56AM PDT

If you've locked things down so only printing is allowed, then is there a real problem, even if the password is known and remembered?

I've not used such a password program because all our networks are extremely secure and don't allow access to outside users.... but since you allow guests to access your printers, is there really a security issue other than these same guests might be able to print any time they want?

Hope this helps.

Grif

- Collapse -
There is an issue.
Aug 20, 2012 4:28AM PDT

If the guests print at will, they will use countless amounts of paper and ink, and it will drive costs up. That's why I'm looking for one-time password software.

- Collapse -
Printing quotas?
Aug 20, 2012 8:37PM PDT

I believe that is possible.

- Collapse -
Let's stick to the point.
Aug 21, 2012 3:30AM PDT

All I am looking for is one-time password software, so when the client computer logs off the server with the guest account, the password will change.

- Collapse -
When people try ...
Aug 21, 2012 1:59PM PDT
- Collapse -
(NT) My apologies...I'll bow out
Aug 21, 2012 8:21PM PDT
- Collapse -
I didn't intend to be rude and abrupt.
Aug 22, 2012 2:41AM PDT

I may have said it in the wrong way.

- Collapse -
Answer
While I've not felt the need to do this, I know you can
Aug 19, 2012 7:39PM PDT

set passwords to expire after some period of time but I'm not certain what the shortest increment would be. Have you checked into that? It would be found in group policy under password expiration.

- Collapse -
I've heard of that...
Aug 19, 2012 11:49PM PDT

...but that means I have to set a manual password every time. I'm looking for software that automatically changes the password every time a guest logs off.

- Collapse -
Re: password
Aug 21, 2012 8:35PM PDT

If that software resets the password, how would you know what it had become? That would be necessary for you to type it in for the next user.

Why not write a batchfile or so to change it? See http://www.petri.co.il/change_user_password_from_the_command_prompt.htm
Then make a 'log-off' link at the desktop that first calls that batch file, then logs off.

Somewhat more advanced: write a program that makes that batchfile with some smart algorithm (such as incrementing it each time) and run that in the logoff-batch.

Kees

- Collapse -
I've started with a batch script.
Aug 25, 2012 12:07AM PDT

Now, I need to find a way to copy portions of the command-line to a secure location. Here is the code:

@echo off
net user "guest-print" /random