Security Basics mailing list archives
RE: Helpdesk as local admin
From: "Rolf Huisman" <r.l.r.huisman () home nl>
Date: Tue, 6 Feb 2007 18:59:52 +0100
While I agree with the rest.
each help desk tech an individual domain admin account
I think you meant; a domain account which grants local admin. -----Oorspronkelijk bericht----- Van: listbounce () securityfocus com [mailto:listbounce () securityfocus com] Namens htroup () acm org Verzonden: maandag 5 februari 2007 18:16 Aan: security-basics () securityfocus com Onderwerp: Re: Helpdesk as local admin IMO, the worst practice is the "standard password on a local admin account"= . This is essentially unchangable on a large network; anyone who ever knew = it stands a really good change of it still being valid on random laptop, so= ld-off hardware, etc. It's wrong for many reasons. Another bad solution is= the "well-known and shared" domain admin password. It too has many bad pro= perties, tending to leak, needing changed when staff changes, and producing= untrackable changes. It's not intuitive, but you are far better off giving each help desk tech a= n individual domain admin account - in addition to a personal user account.= And encouraging/enforcing the use of "runas" to execute commands. Advantages of a per-tech admin account: No shared password; no "plausible d= eniability"; simpler termination handling; cleaner logs. You do audit priv= ilege use, right? Over twenty-five years, I have become convinced that anything leading to sh= ared and reused passwords is just plain wrong, and you must always find a s= olution that doesn't involve more than one person using the same password. -- Henry Troup htroup () acm org On Sat Feb 3 8:58 , WALI sent:
Hi Guys.. So what's the defined best practise regarding HelpDesk personnel be=20 given/told local admin account names and passwords on users
PC/Workstation= s=20
in order to undertake routine fault finding and applications
installation?
Help Desk techies also regularly inserts new workstations into the
domain= =20
hence they need certain privileges to be able to make new workstations
joi= n=20
the domain. What could be the most secure way given the fact that
Servers= =20
are running Win 2k3 and client machines are a combination of WinXP and
Win= 2k.
Current thread:
- Helpdesk as local admin WALI (Feb 05)
- RE: Helpdesk as local admin Scott Ramsdell (Feb 05)
- Re: Helpdesk as local admin gjgowey (Feb 05)
- RE: Helpdesk as local admin Patrick Wade (Feb 05)
- <Possible follow-ups>
- Re: Helpdesk as local admin Henry Troup (Feb 05)
- Re: Helpdesk as local admin htroup (Feb 05)
- RE: Helpdesk as local admin Rolf Huisman (Feb 07)
- RE: Helpdesk as local admin Henry Troup (Feb 07)
- Re: FW: Helpdesk as local admin kevin fielder (Feb 07)