Re: Helpdesk as local admin
- From: htroup@xxxxxxx
- Date: Mon, 05 Feb 2007 09:16:06 -0800
IMO, the worst practice is the "standard password on a local admin account"=
. This is essentially unchangable on a large network; anyone who ever knew =
it stands a really good change of it still being valid on random laptop, so=
ld-off hardware, etc. It's wrong for many reasons. Another bad solution is=
the "well-known and shared" domain admin password. It too has many bad pro=
perties, tending to leak, needing changed when staff changes, and producing=
untrackable changes.
It's not intuitive, but you are far better off giving each help desk tech a=
n individual domain admin account - in addition to a personal user account.=
And encouraging/enforcing the use of "runas" to execute commands.
Advantages of a per-tech admin account: No shared password; no "plausible d=
eniability"; simpler termination handling; cleaner logs. You do audit priv=
ilege use, right?
Over twenty-five years, I have become convinced that anything leading to sh=
ared and reused passwords is just plain wrong, and you must always find a s=
olution that doesn't involve more than one person using the same password.
--
Henry Troup
htroup@xxxxxxx
On Sat Feb 3 8:58 , WALI sent:
Hi Guys..s=20
So what's the defined best practise regarding HelpDesk personnel be=20
given/told local admin account names and passwords on users PC/Workstation=
in order to undertake routine fault finding and applications installation?=20
Help Desk techies also regularly inserts new workstations into the domain=
hence they need certain privileges to be able to make new workstations joi=n=20
the domain. What could be the most secure way given the fact that Servers==20
are running Win 2k3 and client machines are a combination of WinXP and Win=2k.
- Prev by Date: SF new interview announcement: PHP Security From The Inside
- Next by Date: Re: PCI, EFS and the future?
- Previous by thread: Re: Helpdesk as local admin
- Next by thread: RE: Helpdesk as local admin
- Index(es):
Relevant Pages
|
