mailing list archives
Re: Helpdesk as local admin
From: htroup () acm org
Date: Mon, 05 Feb 2007 09:16:06 -0800
IMO, the worst practice is the "standard password on a local admin account"=
. This is essentially unchangable on a large network; anyone who ever knew =
it stands a really good change of it still being valid on random laptop, so=
ld-off hardware, etc. It's wrong for many reasons. Another bad solution is=
the "well-known and shared" domain admin password. It too has many bad pro=
perties, tending to leak, needing changed when staff changes, and producing=
It's not intuitive, but you are far better off giving each help desk tech a=
n individual domain admin account - in addition to a personal user account.=
And encouraging/enforcing the use of "runas" to execute commands.
Advantages of a per-tech admin account: No shared password; no "plausible d=
eniability"; simpler termination handling; cleaner logs. You do audit priv=
ilege use, right?
Over twenty-five years, I have become convinced that anything leading to sh=
ared and reused passwords is just plain wrong, and you must always find a s=
olution that doesn't involve more than one person using the same password.
htroup () acm org
On Sat Feb 3 8:58 , WALI sent:
So what's the defined best practise regarding HelpDesk personnel be=20
given/told local admin account names and passwords on users PC/Workstation=
in order to undertake routine fault finding and applications installation?
Help Desk techies also regularly inserts new workstations into the domain=
hence they need certain privileges to be able to make new workstations joi=
the domain. What could be the most secure way given the fact that Servers=
are running Win 2k3 and client machines are a combination of WinXP and Win=