mailing list archives
Re: Helpdesk as local admin
From: Henry Troup <htroup () acm org>
Date: Mon, 05 Feb 2007 11:07:56 -0500
IMO, the worst practice is the "standard password on a local admin account". This is essentially unchangable on a large
network; anyone who ever knew it stands a really good change of it still being valid on random laptop, sold-off
hardware, etc. It's wrong for many reasons. Another bad solution is the "well-known and shared" domain admin password.
It too has many bad properties, tending to leak, needing changed when staff changes, and producing untrackable changes.
It's not intuitive, but you are far better off giving each help desk tech an individual domain admin account - in
addition to a personal user account. And encouraging/enforcing the use of "runas" to execute commands.
Advantages of a per-tech admin account: No shared password; no "plausible deniability"; simpler termination handling;
cleaner logs. You do audit privilege use, right?
Over twenty-five years, I have become convinced that anything leading to shared and reused passwords is just plain
wrong, and you must always find a solution that doesn't involve more than one person using the same password.
htroup () acm org
On Sat Feb 3 8:58 , WALI sent:
So what's the defined best practise regarding HelpDesk personnel be
given/told local admin account names and passwords on users PC/Workstations
in order to undertake routine fault finding and applications installation?
Help Desk techies also regularly inserts new workstations into the domain
hence they need certain privileges to be able to make new workstations join
the domain. What could be the most secure way given the fact that Servers
are running Win 2k3 and client machines are a combination of WinXP and Win2k.