Re: Helpdesk as local admin

[Henry Troup <htroup () acm org>]

IMO, the worst practice is the "standard password on a local admin account". This is essentially unchangable on a large 
network; anyone who ever knew it stands a really good change of it still being valid on random laptop, sold-off 
hardware, etc.  It's wrong for many reasons. Another bad solution is the "well-known and shared" domain admin password. 
It too has many bad properties, tending to leak, needing changed when staff changes, and producing untrackable changes.

It's not intuitive, but you are far better off giving each help desk tech an individual domain admin account - in 
addition to a personal user account.  And encouraging/enforcing the use of "runas" to execute commands.

Advantages of a per-tech admin account: No shared password; no "plausible deniability"; simpler termination handling; 
cleaner logs.  You do audit privilege use, right?

Over twenty-five years, I have become convinced that anything leading to shared and reused passwords is just plain 
wrong, and you must always find a solution that doesn't involve more than one person using the same password.

--
Henry Troup
htroup () acm org

 On Sat Feb  3  8:58 , WALI  sent:

> Hi Guys..
>
> So what's the defined best practise regarding HelpDesk personnel be 
> given/told local admin account names and passwords on users PC/Workstations 
> in order to undertake routine fault finding and applications installation?
>
> Help Desk techies also regularly inserts new workstations into the domain 
> hence they need certain privileges to be able to make new workstations join 
> the domain. What could be the most secure way given the fact that Servers 
> are running Win 2k3 and client machines are a combination of WinXP and Win2k.