iCompaas Support

Profile Applicability:

Level 1

Description:

For security reasons, it is crucial to change the auto-generated password for Windows-based Lightsail instances. By default, AWS generates a random password for each Windows instance, but this password can be changed to a custom one for better security and control. Changing the password ensures that only authorized users have access to the instance.

Rationale:

Changing the default password for Windows instances ensures that:

• The instance is protected from unauthorized access by securing the default, auto-generated password.
  

• The administrator can enforce stronger, personalized password policies that align with organizational security requirements.
  

• Access to critical resources is tightly controlled.
  

Default Value:

By default, Windows instances on AWS Lightsail are provisioned with a randomly generated password. This password can be retrieved and used to connect to the instance but is not secure for long-term use.

Impact:

• Pros:
  

  • Increased security by replacing the default, auto-generated password with a stronger, more secure one.
    

  • Better compliance with organizational and security policies that require custom password configurations.
    

  • Enhanced control over access to the instance.
    

• Cons:
  

  • Requires careful management of the new password to ensure that it is securely stored and distributed to authorized users.
    

  • Mismanagement of passwords could result in being locked out of the instance.

Remediation:

Test Plan:

Using AWS Console:

1. Log in to the AWS Console at AWS Console.
   

2. Navigate to Lightsail and select Instances under Compute.
   

3. Choose the Windows-based instance for which you want to change the password.
   

4. Click on the Connect button and retrieve the auto-generated password for the instance.
   

5. Use Remote Desktop (RDP) to connect to the instance using the retrieved password.
   

6. Once logged in, change the password from the Control Panel in Windows by going to User Accounts and selecting Change my password.
   

7. Enter a new, secure password, ensuring it meets organizational password policies.
   

Using AWS CLI:

1. Run the following command to retrieve the auto-generated password for the instance:
   

   aws lightsail get-instance-password --instance-name <instance-name>

2. Use RDP to connect to the instance with the retrieved password.
   Once logged in, change the password from Control Panel > User Accounts > Change my password.

3. Enter a new, secure password that complies with your organization’s password policy.

Implementation Plan:

Using AWS Console:

1. Log in to the AWS Console at AWS Console.
   

2. Navigate to Lightsail and choose the Instances section.
   

3. Select the Windows instance you want to update.
   

4. Click on Connect to retrieve the auto-generated password.
   

5. Connect via RDP and change the password in Control Panel > User Accounts > Change my password.
   

Using AWS CLI:

1. Retrieve the auto-generated password for the instance using the following command:
   

   aws lightsail get-instance-password --instance-name <instance-name>

2. Connect to the instance using RDP and change the password from Control Panel > User Accounts.
   

Backout Plan:

Using AWS Console:

1. If there are issues after the password change, log in to the AWS Console.
   

2. Retrieve the auto-generated password again using the Connect button.
   

3. Revert to the original password by connecting to the instance with the auto-generated password and resetting it.
   

Using AWS CLI:

1. If access to the instance is lost, retrieve the auto-generated password again:
   

   aws lightsail get-instance-password --instance-name <instance-name>

2. Use RDP to connect with the auto-generated password and reset the password to a known value.
   

References:

• AWS CLI: get-instance-password
  

• AWS Lightsail Documentation
  

• Windows User Account Management
  

CIS Controls: