RE: Password management WAS: local admin compromised

From: James D. Stallard (cds@cionlne.com)
Date: 11/13/01


From: "James D. Stallard" <cds@cionlne.com>
To: "'Read, Greg'" <ReadG@JAGUARS.NFL.com>, <focus-ms@securityfocus.com>
Subject: RE: Password management WAS: local admin compromised
Date: Tue, 13 Nov 2001 16:04:57 -0000
Message-ID: <002f01c16c5c$f13555c0$6400000a@leafgrove.com>

Greg

Best practice is to defend your passwords as well as possible. Depending
on how large your site is this could mean a password protected Excel
spreadsheet (not easy to crack) or an envelope in a safe.

I is always a good idea to have different passwords for each server
local admin account and these should again be different to the domain
admin passwords. It is up to you where you draw the line and don't
forget the security of the room these servers are stored in and the
security of your backups and Emergency recovery disks.
 
Regards
 
James D. Stallard
james@leafgrove.com
Mobile: 07979 49 88 80
Tel: 0118 9345 020
Fax: 0118 9340 518
www.leafgrove.com

-----Original Message-----
From: Read, Greg [mailto:ReadG@JAGUARS.NFL.com]
Sent: 13 November 2001 13:53
To: 'focus-ms@securityfocus.com'
Subject: Password management WAS: local admin compromised

Jay,

>The key here is to limit the
>possibilities for privilege escalation by ensuring that the
>local Admin accounts do not share their passwords with any
>Domain Admin accounts.

I've heard this before and tend to agree with it, but...
what do you do to manage (remember) local Admin passwds?

We have a room full of servers, should all the local admin passwds be
different from each other as well as the domain?

How about services that need domain accounts to run (like
SQL server replication); what do you do to manage the passwds for these
accounts?

I don't ask these questions flippantly, I'd like to know what best
practices are. My only thought is to store them in some sort of secure
database, but what to use?

Thanks,
Greg



Relevant Pages

  • SV: Password management WAS: local admin compromised
    ... Subject: SV: Password management WAS: local admin compromised ... Otherwise I agree with the sentiment that passwords should be protected ... >local Admin accounts do not share their passwords with any ...
    (Focus-Microsoft)
  • Re: Risks of Local Admin Access on Domain PC?
    ... to require local admin permissions. ... Are you sure Administrator privileges are ... >> How and where does Windows 2000/XP store cached passwords? ... >> programs the users need require them to have local Admin access ...
    (microsoft.public.security)
  • Re: local admin passwords
    ... the accounts, I, for one, prefer to just lock out the local admin accounts ... Subject: local admin passwords ... > I've come up with for an enterprise local admin password solution. ...
    (Focus-Microsoft)
  • Re: What is best and easiest software password crack utility for Windows 2003 server?
    ... my local admin password and was trying to get back in to no avail. ... Which software out there is the best to crack the local admin ... How many admin accounts do you have for your server? ... but making it a habit of having at least two admin accounts ...
    (microsoft.public.windows.server.general)
  • Re: Local Admin Passwords
    ... > that allows central administration of setting local Admin ... > client computers that need the local Admin passwords ...
    (microsoft.public.windows.server.general)