Re: Admin password management

[Aarón Mizrachi <unmanarc () gmail com>]

On Miércoles 20 Mayo 2009 08:18:04 mamo escribió:
> Hi all.
>
> I am responsible for the security of a small ISP. I need to manage the
> admin password of all the machine of the ISP (around 200 system mainly
> with linux, windows and solaris OS).
> By admin user I mean stuff like root, oracle, Oracle sys, MSsql SA,
> Bea admin password etc. We have a policy that require users to
> authenticate with nominal username/password (and sudo on UN*X) but
> there are situations where accessing with admin password is required,
> but it is not acceptable to share the password with all the group that
> work on IT Assurance activity.
>
> I would like to have a product that:
> - Log who take what password
> - Log who change the password
> - Permit to generate a new random password
> - Have a "decent" security
> - Permit to profile who can see what password (it is not mandatory)
> - Permit to add a note to the activity (why the users had the need to
> take the admin password)
>
> I am looking for a product that will be used by around 50-100 people
> that manage the ISP (not like keepass or password safe where the user
> has the encrypted db with all the password on the PC).
> I would appreciate to be able to do this activity with Open Source
> product, but I can evaluate also commercial product.
>
> Do you have any experience to share of product that match may description?
Did you say ldap?

Well, depends on your organization and what you can do to integrate systems... 
ldap can provide you some way to unify password managment, and do what you 
want, windows and linux and many others can use LDAP as cookie authenticating 
manager.

With databases, depends on database, by example, postgresql enables you to use 
ldap as auth manager: http://postgresql.mirrors-r-us.net/docs/techdocs-17.html

i cant do any reference to oracle or mssql. I think that could be done.

-----------------

Furthermore, admin password managment are a security flaw by design... while 
you can take the administration of those admins and who servers are able to 
manage, the admins having the full access to the machine could have the rights 
to leave a backdoor to maintain their access privileges, what is not so 
beautiful.

What i recommend?

It depends on OS, every OS can have their own security mechanisms, by example, 
some Linux Distributions comes with SELinux Ready, combined with a good group 
policy could improve your security creating different kind of admins.

It is, in the fact, really difficult to cut admin privs to a smaller set of 
privileges, because this new set are ussualy a potential disaster.

Sometimes is useful have a only monitoring admin, a low level privs user 
creation admin, and something like.


> Thank you.
> Mamo
>
> ------------------------------------------------------------------------
> This list is sponsored by: InfoSec Institute
>
> Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both
> Instructor-Led and Online formats is the most concentrated exam prep
> available. Comprehensive course materials and an expert instructor means
> you pass the exam. Gain a laser like insight into what is covered on the
> exam, with zero fluff!
>
> http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html
> ------------------------------------------------------------------------

-- 
Ing. Aaron G. Mizrachi P.    
http://www.unmanarc.com
Mobil 1: + 58 416-6143543
Mobil 2: + 58 424-2412503

Attachment: signature.asc
Description: This is a digitally signed message part.