Re: Helpdesk as local admin

[htroup () acm org]

IMO, the worst practice is the "standard password on a local admin account"=
. This is essentially unchangable on a large network; anyone who ever knew =
it stands a really good change of it still being valid on random laptop, so=
ld-off hardware, etc.  It's wrong for many reasons. Another bad solution is=
 the "well-known and shared" domain admin password. It too has many bad pro=
perties, tending to leak, needing changed when staff changes, and producing=
 untrackable changes.

It's not intuitive, but you are far better off giving each help desk tech a=
n individual domain admin account - in addition to a personal user account.=
  And encouraging/enforcing the use of "runas" to execute commands.

Advantages of a per-tech admin account: No shared password; no "plausible d=
eniability"; simpler termination handling; cleaner logs.  You do audit priv=
ilege use, right?

Over twenty-five years, I have become convinced that anything leading to sh=
ared and reused passwords is just plain wrong, and you must always find a s=
olution that doesn't involve more than one person using the same password.

--
Henry Troup
htroup () acm org

 On Sat Feb  3  8:58 , WALI  sent:

> Hi Guys..
>
> So what's the defined best practise regarding HelpDesk personnel be=20
> given/told local admin account names and passwords on users PC/Workstation=
s=20
> in order to undertake routine fault finding and applications installation?
>
> Help Desk techies also regularly inserts new workstations into the domain=
=20
> hence they need certain privileges to be able to make new workstations joi=
n=20
> the domain. What could be the most secure way given the fact that Servers=
=20
> are running Win 2k3 and client machines are a combination of WinXP and Win=
2k.
>