Security Basics mailing list archives

RE: Helpdesk as local admin

From: "Patrick Wade" <wade () ll mit edu>
Date: Mon, 5 Feb 2007 11:43:40 -0500

I think the best practice would be to create a helpdesk group with stripped
down admin privileges that are finely tuned to what they require and nothing
more. So in your case only allow them to install applications and add
machines to the domain but things like account creation and modifying
policies should not be available to them.


-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On
Behalf Of WALI
Sent: Saturday, February 03, 2007 8:59 AM
To: security-basics () securityfocus com
Subject: Helpdesk as local admin

Hi Guys..

So what's the defined best practise regarding HelpDesk personnel be 
given/told local admin account names and passwords on users PC/Workstations 
in order to undertake routine fault finding and applications installation?

Help Desk techies also regularly inserts new workstations into the domain 
hence they need certain privileges to be able to make new workstations join 
the domain. What could be the most secure way given the fact that Servers 
are running Win 2k3 and client machines are a combination of WinXP and
Win2k.

Current thread:

Helpdesk as local admin WALI (Feb 05)
- RE: Helpdesk as local admin Scott Ramsdell (Feb 05)
- Re: Helpdesk as local admin gjgowey (Feb 05)
- RE: Helpdesk as local admin Patrick Wade (Feb 05)
- <Possible follow-ups>
- Re: Helpdesk as local admin Henry Troup (Feb 05)
- Re: Helpdesk as local admin htroup (Feb 05)
- RE: Helpdesk as local admin Rolf Huisman (Feb 07)
- RE: Helpdesk as local admin Henry Troup (Feb 07)
- Re: FW: Helpdesk as local admin kevin fielder (Feb 07)