Home page logo
/

basics logo Security Basics mailing list archives

Re: FW: Helpdesk as local admin
From: "kevin fielder" <kevin.fielder () gmail com>
Date: Wed, 7 Feb 2007 11:09:10 +0000

Hi

While I agree that generic / shared accounts are undesirable so giving
the helpdesk guys individual accounts is definitely a good idea from
both a security and accountability perspective, I would not advocate
giving them all domain admin privileges...

Given the below request I would suggest the following:

Create a group called something like helpdesk or deskside (or whatever
you like really !) -   add this group to the local admins group of all
desktops and laptops.

Place the helpdesk guys accounts into this group (or as suggested
previously create them separate admin accounts and place them in this
group for improved security)
Note: without some strong policy enforcement to back this up you'll
find they just login locally with their admin account all the time, so
be aware that as with most security related issues the technical
solution needs to be backed up with a solid and management supported
policy.

As to the adding machines to the domain this is a right that can be
delegated - so you can allow the helpdesk teams accounts to add
machines to the domain without making them domain admins.

cheers

Kevin




-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of htroup () acm org
Sent: 05 February 2007 17:16
To: security-basics () securityfocus com
Subject: Re: Helpdesk as local admin



IMO, the worst practice is the "standard password on a local admin
account"= . This is essentially unchangable on a large network; anyone
who ever knew = it stands a really good change of it still being valid
on random laptop, so= ld-off hardware, etc.  It's wrong for many
reasons. Another bad solution is=  the "well-known and shared" domain
admin password. It too has many bad pro= perties, tending to leak,
needing changed when staff changes, and producing=  untrackable changes.

It's not intuitive, but you are far better off giving each help desk
tech a= n individual domain admin account - in addition to a personal
user account.=
  And encouraging/enforcing the use of "runas" to execute commands.

Advantages of a per-tech admin account: No shared password; no
"plausible d= eniability"; simpler termination handling; cleaner logs.
You do audit priv= ilege use, right?

Over twenty-five years, I have become convinced that anything leading to
sh= ared and reused passwords is just plain wrong, and you must always
find a s= olution that doesn't involve more than one person using the
same password.

--
Henry Troup
htroup () acm org

 On Sat Feb  3  8:58 , WALI  sent:

>Hi Guys..
>
>So what's the defined best practise regarding HelpDesk personnel be=20
>given/told local admin account names and passwords on users
>PC/Workstation=
s=20
>in order to undertake routine fault finding and applications
installation?
>
>Help Desk techies also regularly inserts new workstations into the
>domain=
=20
>hence they need certain privileges to be able to make new workstations
>joi=
n=20
>the domain. What could be the most secure way given the fact that
>Servers=
=20
>are running Win 2k3 and client machines are a combination of WinXP and
>Win=
2k.
>
>








  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]