Home page logo
/

basics logo Security Basics mailing list archives

RE: Helpdesk as local admin
From: "Rolf Huisman" <r.l.r.huisman () home nl>
Date: Tue, 6 Feb 2007 18:59:52 +0100

While I agree with the rest.
each help desk tech an individual domain admin account
I think you meant; a domain account which grants local admin.

-----Oorspronkelijk bericht-----
Van: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
Namens htroup () acm org
Verzonden: maandag 5 februari 2007 18:16
Aan: security-basics () securityfocus com
Onderwerp: Re: Helpdesk as local admin



IMO, the worst practice is the "standard password on a local admin
account"=
. This is essentially unchangable on a large network; anyone who ever
knew =
it stands a really good change of it still being valid on random laptop,
so=
ld-off hardware, etc.  It's wrong for many reasons. Another bad solution
is=
 the "well-known and shared" domain admin password. It too has many bad
pro=
perties, tending to leak, needing changed when staff changes, and
producing=
 untrackable changes.

It's not intuitive, but you are far better off giving each help desk
tech a=
n individual domain admin account - in addition to a personal user
account.=
  And encouraging/enforcing the use of "runas" to execute commands.

Advantages of a per-tech admin account: No shared password; no
"plausible d=
eniability"; simpler termination handling; cleaner logs.  You do audit
priv=
ilege use, right?

Over twenty-five years, I have become convinced that anything leading to
sh=
ared and reused passwords is just plain wrong, and you must always find
a s=
olution that doesn't involve more than one person using the same
password.

--
Henry Troup
htroup () acm org

 On Sat Feb  3  8:58 , WALI  sent:

Hi Guys..

So what's the defined best practise regarding HelpDesk personnel be=20
given/told local admin account names and passwords on users
PC/Workstation=
s=20
in order to undertake routine fault finding and applications
installation?

Help Desk techies also regularly inserts new workstations into the
domain=
=20
hence they need certain privileges to be able to make new workstations
joi=
n=20
the domain. What could be the most secure way given the fact that
Servers=
=20
are running Win 2k3 and client machines are a combination of WinXP and
Win=
2k.












  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault