Educause Security Discussion mailing list archives
Re: Local Admin Accounts
From: Kevin Shalla <kshalla () UIC EDU>
Date: Fri, 9 Oct 2009 08:40:37 -0500
What are the mechanics of using the encrypted flash drive to log on as administrator? At 03:01 PM 10/7/2009, Sarazen, Daniel wrote:
I have one department with about 100+ desktops. What the Admin has done with the desktop admin password, is to place it on an encrypted flash drive, which is stored in his safe. When the work-study student needs to service desktops, they are issued the flash drive and they return it when they are done. Does anyone see a problem with this? Thanks :: Daniel Sarazen, Senior Information Technology Auditor :: University Internal Audit :: University of Massachusetts President's Office :: 774-455-7558 :: 781-724-3377 Cell :: 774-455-7550 Fax :: Dsarazen () umassp edu University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA 01545 : www.massachusetts.edu -----Original Message----- From: The EDUCAUSE Security Constituent Group Listserv [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach Jansen Sent: Wednesday, October 07, 2009 3:56 PM To: SECURITY () LISTSERV EDUCAUSE EDU Subject: Re: [SECURITY] Local Admin Accounts I didn't see a response to Manny's question on this thread. What do other schools do with student workers to get them admin access? Does your HelpDesk have a local admin password to login to systems that aren't on the network? If you do, how do you manage a local password change when a staff member, student or otherwise, leaves? Zach -- Zach Jansen Information Security Officer Calvin College Phone: 616.526.6776 Fax: 616.526.8550 >>> On 9/16/2009 at 3:37 PM, in message <74EC63270F70E84EBE31C4588324B476766E7D9AF9 () EXVS01 olin edu>, Manuel Amaral <Manuel.Amaral () OLIN EDU> wrote: > The feedback on this topic has been great. I'm curious what others do to > provide and manage admin access for help desk workstudy students to assist > with system repairs, troubleshooting, updates, etc. > > > Manny > --------------------------------------- > Manuel (Manny) Amaral > Associate Director, Information Technology > Franklin W. Olin College of Engineering > > > -----Original Message----- > From: The EDUCAUSE Security Constituent Group Listserv > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Flynn > Sent: Wednesday, September 16, 2009 3:33 PM > To: SECURITY () LISTSERV EDUCAUSE EDU > Subject: Re: [SECURITY] Local Admin Accounts > > We're putting laptops on the domain too. But both laptops and desktops have > a local administrator account unique and known to the user. > > > Gary Flynn > Security Engineer > James Madison University > > <reply top posted thanks to Microsoft Outlook> > > >> -----Original Message----- >> From: The EDUCAUSE Security Constituent Group Listserv >> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Smith, Bob >> Sent: Wednesday, September 16, 2009 3:14 PM >> To: SECURITY () LISTSERV EDUCAUSE EDU >> Subject: Re: [SECURITY] Local Admin Accounts >> >> Everyone is posting some great ideas for handling computers on the >> domain, but how are you dealing with computers (laptops) that might not >> be on the domain? Are you simply giving them an elevated local >> account, using 2 local accounts (one non-admin and one admin) or >> something else? >> >> >> >> Bob Smith >> >> Information Security Officer >> >> Longwood University >> >> >> >> From: The EDUCAUSE Security Constituent Group Listserv >> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Strzelec, Wally >> Sent: Wednesday, September 16, 2009 2:42 PM >> To: SECURITY () LISTSERV EDUCAUSE EDU >> Subject: Re: [SECURITY] Local Admin Accounts >> >> >> >> 1. We are using Vista in our labs and disable the local >> Administrator account. >> >> >> >> 2. See #4. >> >> >> >> 3. We have never had any issues with machines dropping out of the >> domain. (2500 machines) >> >> >> >> 4. We do not allow anonymous account access, everyone uses their >> domain account for what they need. For administrative access we use >> group policy. We created an OU that contains groups with the same name >> as the computer. A group policy will then add the group %COMPUTERNAM% >> to the local administrators group. We simply add the user to the >> appropriate %COMPUTERNAM% group and they are an Administrator of that >> and only that machine. We use the same GPO to remove everyone with the >> exception of the folks we specify, from all of the groups just in case >> one of our %COMPUTERNAM% group Administrators decide to add themselves >> or someone else to something that they should not. >> >> >> >> 5. Use the Active Directory and Group Policies. >> >> >> >> -Wally Strzelec >> >> Computing and information Services >> >> Texas A&M University >> >> >> >> From: The EDUCAUSE Security Constituent Group Listserv >> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A. >> Sent: Wednesday, September 16, 2009 1:20 PM >> To: SECURITY () LISTSERV EDUCAUSE EDU >> Subject: [SECURITY] Local Admin Accounts >> >> >> >> I would like to inquire as to what other Universities are doing with >> regard to local admin accounts in Windows domain. We are contemplating >> removing or disabling local administrator accounts across the board and >> use a Workstation Administrators group in Active Directory. >> >> >> >> 1. Has anyone disabled the local Administrator account? >> >> 2. How do you handle when a machine can no longer talk to the >> network or domain, whether a hardware failure or lost trust? >> >> 3. If a machine loses its trust with the domain, what cause this? >> >> 4. Is there a method of creating a unique password for each >> machine for the administrator account, or someway of not having to give >> out one password that gives someone access to anything and everything? >> >> 5. Any other advice? >> >> >> >> Ronald King >> >> Security Engineer >> >> Norfolk State University >> >> Marie V. McDemmond Center for Applied Research >> >> Suite 401 >> >> 700 Park Ave. >> >> Norfolk, Virginia 23504 >> >> Phone: 757-823-3918 >> >> Fax: 757-823-2128 >> >> Email: raking () nsu edu >> >> http://security.nsu.edu >> >>
Current thread:
- Re: Local Admin Accounts Zach Jansen (Oct 07)
- <Possible follow-ups>
- Re: Local Admin Accounts Sarazen, Daniel (Oct 07)
- Re: Local Admin Accounts Kevin Shalla (Oct 09)