Security Basics mailing list archives
Re: Admin password management
From: Aarón Mizrachi <unmanarc () gmail com>
Date: Thu, 21 May 2009 05:44:08 -0430
On Miércoles 20 Mayo 2009 08:18:04 mamo escribió:
Hi all. I am responsible for the security of a small ISP. I need to manage the admin password of all the machine of the ISP (around 200 system mainly with linux, windows and solaris OS). By admin user I mean stuff like root, oracle, Oracle sys, MSsql SA, Bea admin password etc. We have a policy that require users to authenticate with nominal username/password (and sudo on UN*X) but there are situations where accessing with admin password is required, but it is not acceptable to share the password with all the group that work on IT Assurance activity. I would like to have a product that: - Log who take what password - Log who change the password - Permit to generate a new random password - Have a "decent" security - Permit to profile who can see what password (it is not mandatory) - Permit to add a note to the activity (why the users had the need to take the admin password) I am looking for a product that will be used by around 50-100 people that manage the ISP (not like keepass or password safe where the user has the encrypted db with all the password on the PC). I would appreciate to be able to do this activity with Open Source product, but I can evaluate also commercial product. Do you have any experience to share of product that match may description?
Did you say ldap? Well, depends on your organization and what you can do to integrate systems... ldap can provide you some way to unify password managment, and do what you want, windows and linux and many others can use LDAP as cookie authenticating manager. With databases, depends on database, by example, postgresql enables you to use ldap as auth manager: http://postgresql.mirrors-r-us.net/docs/techdocs-17.html i cant do any reference to oracle or mssql. I think that could be done. ----------------- Furthermore, admin password managment are a security flaw by design... while you can take the administration of those admins and who servers are able to manage, the admins having the full access to the machine could have the rights to leave a backdoor to maintain their access privileges, what is not so beautiful. What i recommend? It depends on OS, every OS can have their own security mechanisms, by example, some Linux Distributions comes with SELinux Ready, combined with a good group policy could improve your security creating different kind of admins. It is, in the fact, really difficult to cut admin privs to a smaller set of privileges, because this new set are ussualy a potential disaster. Sometimes is useful have a only monitoring admin, a low level privs user creation admin, and something like.
Thank you. Mamo ------------------------------------------------------------------------ This list is sponsored by: InfoSec Institute Need to pass the CISSP? InfoSec Institute's CISSP Boot Camp in both Instructor-Led and Online formats is the most concentrated exam prep available. Comprehensive course materials and an expert instructor means you pass the exam. Gain a laser like insight into what is covered on the exam, with zero fluff! http://www.infosecinstitute.com/courses/cissp_bootcamp_training.html ------------------------------------------------------------------------
-- Ing. Aaron G. Mizrachi P. http://www.unmanarc.com Mobil 1: + 58 416-6143543 Mobil 2: + 58 424-2412503
Attachment:
signature.asc
Description: This is a digitally signed message part.
Current thread:
- Admin password management mamo (May 20)
- RE: Admin password management Cornwell, Kay (NIH/NIGMS) [E] (May 21)
- RE: Admin password management Cisternas Marquez, Gonzalo (May 21)
- Re: Admin password management Aarón Mizrachi (May 21)
- <Possible follow-ups>
- Re: Admin password management grady (May 21)
- Re: Admin password management Zhihao Tan (May 22)
- RE: Admin password management Valentin Fernandez Bolland (May 22)
- Re: Admin password management Zhihao Tan (May 22)