Home page logo

basics logo Security Basics mailing list archives

Re: Helpdesk as local admin
From: Henry Troup <htroup () acm org>
Date: Mon, 05 Feb 2007 11:07:56 -0500

IMO, the worst practice is the "standard password on a local admin account". This is essentially unchangable on a large 
network; anyone who ever knew it stands a really good change of it still being valid on random laptop, sold-off 
hardware, etc.  It's wrong for many reasons. Another bad solution is the "well-known and shared" domain admin password. 
It too has many bad properties, tending to leak, needing changed when staff changes, and producing untrackable changes.

It's not intuitive, but you are far better off giving each help desk tech an individual domain admin account - in 
addition to a personal user account.  And encouraging/enforcing the use of "runas" to execute commands.

Advantages of a per-tech admin account: No shared password; no "plausible deniability"; simpler termination handling; 
cleaner logs.  You do audit privilege use, right?

Over twenty-five years, I have become convinced that anything leading to shared and reused passwords is just plain 
wrong, and you must always find a solution that doesn't involve more than one person using the same password.

Henry Troup
htroup () acm org

 On Sat Feb  3  8:58 , WALI  sent:

Hi Guys..

So what's the defined best practise regarding HelpDesk personnel be 
given/told local admin account names and passwords on users PC/Workstations 
in order to undertake routine fault finding and applications installation?

Help Desk techies also regularly inserts new workstations into the domain 
hence they need certain privileges to be able to make new workstations join 
the domain. What could be the most secure way given the fact that Servers 
are running Win 2k3 and client machines are a combination of WinXP and Win2k.

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]