Home page logo

basics logo Security Basics mailing list archives

Re: Helpdesk as local admin
From: htroup () acm org
Date: Mon, 05 Feb 2007 09:16:06 -0800

IMO, the worst practice is the "standard password on a local admin account"=
. This is essentially unchangable on a large network; anyone who ever knew =
it stands a really good change of it still being valid on random laptop, so=
ld-off hardware, etc.  It's wrong for many reasons. Another bad solution is=
 the "well-known and shared" domain admin password. It too has many bad pro=
perties, tending to leak, needing changed when staff changes, and producing=
 untrackable changes.

It's not intuitive, but you are far better off giving each help desk tech a=
n individual domain admin account - in addition to a personal user account.=
  And encouraging/enforcing the use of "runas" to execute commands.

Advantages of a per-tech admin account: No shared password; no "plausible d=
eniability"; simpler termination handling; cleaner logs.  You do audit priv=
ilege use, right?

Over twenty-five years, I have become convinced that anything leading to sh=
ared and reused passwords is just plain wrong, and you must always find a s=
olution that doesn't involve more than one person using the same password.

Henry Troup
htroup () acm org

 On Sat Feb  3  8:58 , WALI  sent:

Hi Guys..

So what's the defined best practise regarding HelpDesk personnel be=20
given/told local admin account names and passwords on users PC/Workstation=
in order to undertake routine fault finding and applications installation?

Help Desk techies also regularly inserts new workstations into the domain=
hence they need certain privileges to be able to make new workstations joi=
the domain. What could be the most secure way given the fact that Servers=
are running Win 2k3 and client machines are a combination of WinXP and Win=

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]