Educause Security Discussion mailing list archives
Re: Local Admin Accounts
From: "Sarazen, Daniel" <dsarazen () UMASSP EDU>
Date: Wed, 7 Oct 2009 16:01:10 -0400
I have one department with about 100+ desktops. What the Admin has done with the desktop admin password, is to place it on an encrypted flash drive, which is stored in his safe. When the work-study student needs to service desktops, they are issued the flash drive and they return it when they are done. Does anyone see a problem with this? Thanks :: Daniel Sarazen, Senior Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 774-455-7558 :: 781-724-3377 Cell :: 774-455-7550 Fax :: Dsarazen () umassp edu University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach Jansen Sent: Wednesday, October 07, 2009 3:56 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Local Admin Accounts I didn't see a response to Manny's question on this thread. What do other schools do with student workers to get them admin access? Does your HelpDesk have a local admin password to login to systems that aren't on the network? If you do, how do you manage a local password change when a staff member, student or otherwise, leaves? Zach -- Zach Jansen Information Security Officer Calvin College Phone: 616.526.6776 Fax: 616.526.8550
On 9/16/2009 at 3:37 PM, in message
<74EC63270F70E84EBE31C4588324B476766E7D9AF9 () EXVS01 olin edu>, Manuel Amaral <Manuel.Amaral () OLIN EDU> wrote:
The feedback on this topic has been great. I'm curious what others do
to
provide and manage admin access for help desk workstudy students to
assist
with system repairs, troubleshooting, updates, etc. Manny --------------------------------------- Manuel (Manny) Amaral Associate Director, Information Technology Franklin W. Olin College of Engineering -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Flynn Sent: Wednesday, September 16, 2009 3:33 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Local Admin Accounts We're putting laptops on the domain too. But both laptops and desktops
have
a local administrator account unique and known to the user. Gary Flynn Security Engineer James Madison University <reply top posted thanks to Microsoft Outlook>-----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Smith, Bob Sent: Wednesday, September 16, 2009 3:14 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Local Admin Accounts Everyone is posting some great ideas for handling computers on the domain, but how are you dealing with computers (laptops) that might
not
be on the domain? Are you simply giving them an elevated local account, using 2 local accounts (one non-admin and one admin) or something else? Bob Smith Information Security Officer Longwood University From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Strzelec, Wally Sent: Wednesday, September 16, 2009 2:42 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Local Admin Accounts 1. We are using Vista in our labs and disable the local Administrator account. 2. See #4. 3. We have never had any issues with machines dropping out of
the
domain. (2500 machines) 4. We do not allow anonymous account access, everyone uses
their
domain account for what they need. For administrative access we use group policy. We created an OU that contains groups with the same
name
as the computer. A group policy will then add the group
%COMPUTERNAM%
to the local administrators group. We simply add the user to the appropriate %COMPUTERNAM% group and they are an Administrator of that and only that machine. We use the same GPO to remove everyone with
the
exception of the folks we specify, from all of the groups just in
case
one of our %COMPUTERNAM% group Administrators decide to add
themselves
or someone else to something that they should not. 5. Use the Active Directory and Group Policies. -Wally Strzelec Computing and information Services Texas A&M University From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A. Sent: Wednesday, September 16, 2009 1:20 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: [SECURITY] Local Admin Accounts I would like to inquire as to what other Universities are doing with regard to local admin accounts in Windows domain. We are
contemplating
removing or disabling local administrator accounts across the board
and
use a Workstation Administrators group in Active Directory. 1. Has anyone disabled the local Administrator account? 2. How do you handle when a machine can no longer talk to the network or domain, whether a hardware failure or lost trust? 3. If a machine loses its trust with the domain, what cause
this?
4. Is there a method of creating a unique password for each machine for the administrator account, or someway of not having to
give
out one password that gives someone access to anything and
everything?
5. Any other advice? Ronald King Security Engineer Norfolk State University Marie V. McDemmond Center for Applied Research Suite 401 700 Park Ave. Norfolk, Virginia 23504 Phone: 757-823-3918 Fax: 757-823-2128 Email: raking () nsu edu http://security.nsu.edu
Current thread:
- Re: Local Admin Accounts Zach Jansen (Oct 07)
- <Possible follow-ups>
- Re: Local Admin Accounts Sarazen, Daniel (Oct 07)
- Re: Local Admin Accounts Kevin Shalla (Oct 09)