Home page logo

basics logo Security Basics mailing list archives

RE: Helpdesk as local admin
From: "Rolf Huisman" <r.l.r.huisman () home nl>
Date: Tue, 6 Feb 2007 18:59:52 +0100

While I agree with the rest.
each help desk tech an individual domain admin account
I think you meant; a domain account which grants local admin.

-----Oorspronkelijk bericht-----
Van: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
Namens htroup () acm org
Verzonden: maandag 5 februari 2007 18:16
Aan: security-basics () securityfocus com
Onderwerp: Re: Helpdesk as local admin

IMO, the worst practice is the "standard password on a local admin
. This is essentially unchangable on a large network; anyone who ever
knew =
it stands a really good change of it still being valid on random laptop,
ld-off hardware, etc.  It's wrong for many reasons. Another bad solution
 the "well-known and shared" domain admin password. It too has many bad
perties, tending to leak, needing changed when staff changes, and
 untrackable changes.

It's not intuitive, but you are far better off giving each help desk
tech a=
n individual domain admin account - in addition to a personal user
  And encouraging/enforcing the use of "runas" to execute commands.

Advantages of a per-tech admin account: No shared password; no
"plausible d=
eniability"; simpler termination handling; cleaner logs.  You do audit
ilege use, right?

Over twenty-five years, I have become convinced that anything leading to
ared and reused passwords is just plain wrong, and you must always find
a s=
olution that doesn't involve more than one person using the same

Henry Troup
htroup () acm org

 On Sat Feb  3  8:58 , WALI  sent:

Hi Guys..

So what's the defined best practise regarding HelpDesk personnel be=20
given/told local admin account names and passwords on users
in order to undertake routine fault finding and applications

Help Desk techies also regularly inserts new workstations into the
hence they need certain privileges to be able to make new workstations
the domain. What could be the most secure way given the fact that
are running Win 2k3 and client machines are a combination of WinXP and

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]