Security Basics mailing list archives

RE: Helpdesk as local admin

From: "Rolf Huisman" <r.l.r.huisman () home nl>
Date: Tue, 6 Feb 2007 18:59:52 +0100

While I agree with the rest.

each help desk tech an individual domain admin account

I think you meant; a domain account which grants local admin.

-----Oorspronkelijk bericht-----
Van: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
Namens htroup () acm org
Verzonden: maandag 5 februari 2007 18:16
Aan: security-basics () securityfocus com
Onderwerp: Re: Helpdesk as local admin



IMO, the worst practice is the "standard password on a local admin
account"=
. This is essentially unchangable on a large network; anyone who ever
knew =
it stands a really good change of it still being valid on random laptop,
so=
ld-off hardware, etc.  It's wrong for many reasons. Another bad solution
is=
 the "well-known and shared" domain admin password. It too has many bad
pro=
perties, tending to leak, needing changed when staff changes, and
producing=
 untrackable changes.

It's not intuitive, but you are far better off giving each help desk
tech a=
n individual domain admin account - in addition to a personal user
account.=
  And encouraging/enforcing the use of "runas" to execute commands.

Advantages of a per-tech admin account: No shared password; no
"plausible d=
eniability"; simpler termination handling; cleaner logs.  You do audit
priv=
ilege use, right?

Over twenty-five years, I have become convinced that anything leading to
sh=
ared and reused passwords is just plain wrong, and you must always find
a s=
olution that doesn't involve more than one person using the same
password.

--
Henry Troup
htroup () acm org

 On Sat Feb  3  8:58 , WALI  sent:

Hi Guys..

So what's the defined best practise regarding HelpDesk personnel be=20
given/told local admin account names and passwords on users

PC/Workstation=
s=20

in order to undertake routine fault finding and applications

installation?


Help Desk techies also regularly inserts new workstations into the

domain=
=20

hence they need certain privileges to be able to make new workstations

joi=
n=20

the domain. What could be the most secure way given the fact that

Servers=
=20

are running Win 2k3 and client machines are a combination of WinXP and

Win=
2k.

Current thread:

Helpdesk as local admin WALI (Feb 05)
- RE: Helpdesk as local admin Scott Ramsdell (Feb 05)
- Re: Helpdesk as local admin gjgowey (Feb 05)
- RE: Helpdesk as local admin Patrick Wade (Feb 05)
- <Possible follow-ups>
- Re: Helpdesk as local admin Henry Troup (Feb 05)
- Re: Helpdesk as local admin htroup (Feb 05)
- RE: Helpdesk as local admin Rolf Huisman (Feb 07)
- RE: Helpdesk as local admin Henry Troup (Feb 07)
- Re: FW: Helpdesk as local admin kevin fielder (Feb 07)