Re: FW: Helpdesk as local admin

["kevin fielder" <kevin.fielder () gmail com>]

Hi

While I agree that generic / shared accounts are undesirable so giving
the helpdesk guys individual accounts is definitely a good idea from
both a security and accountability perspective, I would not advocate
giving them all domain admin privileges...

Given the below request I would suggest the following:

Create a group called something like helpdesk or deskside (or whatever
you like really !) -   add this group to the local admins group of all
desktops and laptops.

Place the helpdesk guys accounts into this group (or as suggested
previously create them separate admin accounts and place them in this
group for improved security)
Note: without some strong policy enforcement to back this up you'll
find they just login locally with their admin account all the time, so
be aware that as with most security related issues the technical
solution needs to be backed up with a solid and management supported
policy.

As to the adding machines to the domain this is a right that can be
delegated - so you can allow the helpdesk teams accounts to add
machines to the domain without making them domain admins.

cheers

Kevin



> -----Original Message-----
> From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
> On Behalf Of htroup () acm org
> Sent: 05 February 2007 17:16
> To: security-basics () securityfocus com
> Subject: Re: Helpdesk as local admin
>
>
>
> IMO, the worst practice is the "standard password on a local admin
> account"= . This is essentially unchangable on a large network; anyone
> who ever knew = it stands a really good change of it still being valid
> on random laptop, so= ld-off hardware, etc.  It's wrong for many
> reasons. Another bad solution is=  the "well-known and shared" domain
> admin password. It too has many bad pro= perties, tending to leak,
> needing changed when staff changes, and producing=  untrackable changes.
>
> It's not intuitive, but you are far better off giving each help desk
> tech a= n individual domain admin account - in addition to a personal
> user account.=
>   And encouraging/enforcing the use of "runas" to execute commands.
>
> Advantages of a per-tech admin account: No shared password; no
> "plausible d= eniability"; simpler termination handling; cleaner logs.
> You do audit priv= ilege use, right?
>
> Over twenty-five years, I have become convinced that anything leading to
> sh= ared and reused passwords is just plain wrong, and you must always
> find a s= olution that doesn't involve more than one person using the
> same password.
>
> --
> Henry Troup
> htroup () acm org
>
>  On Sat Feb  3  8:58 , WALI  sent:
>
> >Hi Guys..
> >
> >So what's the defined best practise regarding HelpDesk personnel be=20
> >given/told local admin account names and passwords on users
> >PC/Workstation=
> s=20
> >in order to undertake routine fault finding and applications
> installation?
> >
> >Help Desk techies also regularly inserts new workstations into the
> >domain=
> =20
> >hence they need certain privileges to be able to make new workstations
> >joi=
> n=20
> >the domain. What could be the most secure way given the fact that
> >Servers=
> =20
> >are running Win 2k3 and client machines are a combination of WinXP and
> >Win=
> 2k.
> >
> >