Re: Helpdesk as local admin
- From: Henry Troup <htroup@xxxxxxx>
- Date: Mon, 05 Feb 2007 11:07:56 -0500
IMO, the worst practice is the "standard password on a local admin account". This is essentially unchangable on a large network; anyone who ever knew it stands a really good change of it still being valid on random laptop, sold-off hardware, etc. It's wrong for many reasons. Another bad solution is the "well-known and shared" domain admin password. It too has many bad properties, tending to leak, needing changed when staff changes, and producing untrackable changes.
It's not intuitive, but you are far better off giving each help desk tech an individual domain admin account - in addition to a personal user account. And encouraging/enforcing the use of "runas" to execute commands.
Advantages of a per-tech admin account: No shared password; no "plausible deniability"; simpler termination handling; cleaner logs. You do audit privilege use, right?
Over twenty-five years, I have become convinced that anything leading to shared and reused passwords is just plain wrong, and you must always find a solution that doesn't involve more than one person using the same password.
--
Henry Troup
htroup@xxxxxxx
On Sat Feb 3 8:58 , WALI sent:
Hi Guys..
So what's the defined best practise regarding HelpDesk personnel be
given/told local admin account names and passwords on users PC/Workstations
in order to undertake routine fault finding and applications installation?
Help Desk techies also regularly inserts new workstations into the domain
hence they need certain privileges to be able to make new workstations join
the domain. What could be the most secure way given the fact that Servers
are running Win 2k3 and client machines are a combination of WinXP and Win2k.
- Prev by Date: Re: Re: Changing the domain password policy
- Next by Date: RE: Helpdesk as local admin
- Previous by thread: RE: Helpdesk as local admin
- Next by thread: Re: Helpdesk as local admin
- Index(es):
Relevant Pages
|
