RE: Admin password management

---

• From: "Cornwell, Kay (NIH/NIGMS) [E]" <CornwelK@xxxxxxxxxxxxx>
• Date: Wed, 20 May 2009 15:18:05 -0400

---

I have not used this product in an ISP environment, ours is a smaller
enterprise environment. But I would suggest looking at E-DMZ's Password
Auto Repository product (hardware device, 2nd device provides failover).


That is supposed to handle Windows, Unix, SQL and Oracle passwords and
provides a web based retrieval process that is logged. You can specify
who has authorization to retrieve a password or you can have a web based
authorization process (email is sent to an authorizer and you can set
multiple levels - requires 1 2 or more authorizers to approve).

The requestor must input a reason for retrieval. Passwords for the
windows environment can be changed on an automatic schedule - I believe
that you can also do this for other platforms and Oracle, or you can
have password changes occur manually (i.e. use PAR to generate a random
password, type it in and tell PAR change was successful and then it
registers the password change.

I did not price the product myself so not sure about cost. We have been
using it here with success.


E-DMZ Password Auto Repository

http://www.e-dmzsecurity.com/

Kay Cornwell, MS
GSEC, GSLC, GSAE


-----Original Message-----
From: mamo [mailto:mamo74@xxxxxxxxx]
Sent: Wednesday, May 20, 2009 8:48 AM
To: security-basics@xxxxxxxxxxxxxxxxx
Subject: Admin password management

Hi all.

I am responsible for the security of a small ISP. I need to manage the
admin password of all the machine of the ISP (around 200 system mainly
with linux, windows and solaris OS).
By admin user I mean stuff like root, oracle, Oracle sys, MSsql SA,
Bea admin password etc. We have a policy that require users to
authenticate with nominal username/password (and sudo on UN*X) but
there are situations where accessing with admin password is required,
but it is not acceptable to share the password with all the group that
work on IT Assurance activity.

I would like to have a product that:
- Log who take what password
- Log who change the password
- Permit to generate a new random password
- Have a "decent" security
- Permit to profile who can see what password (it is not mandatory)
- Permit to add a note to the activity (why the users had the need to
take the admin password)

I am looking for a product that will be used by around 50-100 people
that manage the ISP (not like keepass or password safe where the user
has the encrypted db with all the password on the PC).
I would appreciate to be able to do this activity with Open Source
product, but I can evaluate also commercial product.

Do you have any experience to share of product that match may
description?

Thank you.
Mamo

------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
Instructor-Led and Online formats is the most concentrated exam prep
available. Comprehensive course materials and an expert instructor means
you pass the exam. Gain a laser like insight into what is covered on the
exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------


------------------------------------------------------------------------
This list is sponsored by: InfoSec Institute

Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff!

http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
------------------------------------------------------------------------

---

• References:
  • Admin password management
    • From: mamo

• Prev by Date: RE: Admin password management
• Next by Date: Re: Re: Allowing access to social networking... securely?
• Previous by thread: RE: Admin password management
• Next by thread: Re: Admin password management
• Index(es):
  • Date
  • Thread

---

Relevant Pages Re: User creation date on fail domain ... Now that the environment is stable, ... any script because I don't have any admin password. ... forensics, not just some local guy who says he is. ... local police force for some names. ... (microsoft.public.security) Admin password management ... I am responsible for the security of a small ISP. ... Bea admin password etc. ... Permit to profile who can see what password ... (Security-Basics) RE: Admin password management ... Or any other centralized scheme for several servers passowrd management. ... I am responsible for the security of a small ISP. ... admin password of all the machine of the ISP (around 200 system mainly ... Permit to profile who can see what password ... (Security-Basics) Re: Fred Dibnahs statue. ... environment then there is naff all you can ... Put up with reading (and possibly posting text) only ... Get a better ISP ... (uk.rec.waterways) RE: IP static/Public ... This will be very helpfull for ... environment whereas you would be granted a dymanic IP ... ISP) basically each time your router is reset. ... (microsoft.public.windows.server.sbs)

---

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint

www.derkeiler.com  > Mailing-Lists  > securityfocus  > security-basics  > 2009-05