Re: Local Admin Accounts

[Kevin Shalla <kshalla () UIC EDU>]

What are the mechanics of using the encrypted flash drive to log on
as administrator?

At 03:01 PM 10/7/2009, Sarazen, Daniel wrote:
> I have one department with about 100+ desktops. What the Admin has done
> with the desktop admin password, is to place it on an encrypted flash
> drive, which is stored in his safe. When the work-study student needs to
> service desktops, they are issued the flash drive and they return it
> when they are done.
>
> Does anyone see a problem with this?
>
> Thanks
>
>
>
>
> :: Daniel Sarazen, Senior Information Technology Auditor
> :: University Internal Audit
> :: University of Massachusetts President's Office
> :: 774-455-7558
> :: 781-724-3377 Cell
> :: 774-455-7550 Fax
> :: Dsarazen () umassp edu
>
> University of Massachusetts : 333 South St. : Suite 450 : Shrewsbury, MA
> 01545 : www.massachusetts.edu
>
>
> -----Original Message-----
> From: The EDUCAUSE Security Constituent Group Listserv
> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Zach Jansen
> Sent: Wednesday, October 07, 2009 3:56 PM
> To: SECURITY () LISTSERV EDUCAUSE EDU
> Subject: Re: [SECURITY] Local Admin Accounts
>
> I didn't see a response to Manny's question on this thread. What do
> other schools do with student workers to get them admin access? Does
> your HelpDesk have a local admin password to login to systems that
> aren't on the network? If you do, how do you manage a local password
> change when a staff member, student or otherwise, leaves?
>
> Zach
> --
>
> Zach Jansen
> Information Security Officer
> Calvin College
> Phone: 616.526.6776
> Fax: 616.526.8550
>
> >>> On 9/16/2009 at 3:37 PM, in message
> <74EC63270F70E84EBE31C4588324B476766E7D9AF9 () EXVS01 olin edu>, Manuel
> Amaral
> <Manuel.Amaral () OLIN EDU> wrote:
> > The feedback on this topic has been great.  I'm curious what others do
> to
> > provide and manage admin access for help desk workstudy students to
> assist
> > with system repairs, troubleshooting, updates, etc.
> >
> >
> > Manny
> > ---------------------------------------
> > Manuel (Manny) Amaral
> > Associate Director, Information Technology
> > Franklin W. Olin College of Engineering
> >
> >
> > -----Original Message-----
> > From: The EDUCAUSE Security Constituent Group Listserv
> > [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Gary Flynn
> > Sent: Wednesday, September 16, 2009 3:33 PM
> > To: SECURITY () LISTSERV EDUCAUSE EDU
> > Subject: Re: [SECURITY] Local Admin Accounts
> >
> > We're putting laptops on the domain too. But both laptops and desktops
> have
> > a local administrator account unique and known to the user.
> >
> >
> > Gary Flynn
> > Security Engineer
> > James Madison University
> >
> > <reply top posted thanks to Microsoft Outlook>
> >
> >
> >> -----Original Message-----
> >> From: The EDUCAUSE Security Constituent Group Listserv
> >> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Smith, Bob
> >> Sent: Wednesday, September 16, 2009 3:14 PM
> >> To: SECURITY () LISTSERV EDUCAUSE EDU
> >> Subject: Re: [SECURITY] Local Admin Accounts
> >>
> >> Everyone is posting some great ideas for handling computers on the
> >> domain, but how are you dealing with computers (laptops) that might
> not
> >> be on the domain?  Are you simply giving them an elevated local
> >> account, using 2 local accounts (one non-admin and one admin) or
> >> something else?
> >>
> >>
> >>
> >> Bob Smith
> >>
> >> Information Security Officer
> >>
> >> Longwood University
> >>
> >>
> >>
> >> From: The EDUCAUSE Security Constituent Group Listserv
> >> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of Strzelec, Wally
> >> Sent: Wednesday, September 16, 2009 2:42 PM
> >> To: SECURITY () LISTSERV EDUCAUSE EDU
> >> Subject: Re: [SECURITY] Local Admin Accounts
> >>
> >>
> >>
> >> 1.       We are using Vista in our labs and disable the local
> >> Administrator account.
> >>
> >>
> >>
> >> 2.         See #4.
> >>
> >>
> >>
> >> 3.       We have never had any issues with machines dropping out of
> the
> >> domain.  (2500 machines)
> >>
> >>
> >>
> >> 4.       We do not allow anonymous account access, everyone uses
> their
> >> domain account for what they need.  For administrative access we use
> >> group policy.  We created an OU that contains groups with the same
> name
> >> as the computer.  A group policy will then add the group
> %COMPUTERNAM%
> >> to the local administrators group.  We simply add the user to the
> >> appropriate %COMPUTERNAM% group and they are an Administrator of that
> >> and only that machine.  We use the same GPO to remove everyone with
> the
> >> exception of the folks we specify, from all of the groups just in
> case
> >> one of our %COMPUTERNAM% group Administrators decide to add
> themselves
> >> or someone else to something that they should not.
> >>
> >>
> >>
> >> 5.       Use the Active Directory and Group Policies.
> >>
> >>
> >>
> >> -Wally Strzelec
> >>
> >>  Computing and information Services
> >>
> >>  Texas A&M University
> >>
> >>
> >>
> >> From: The EDUCAUSE Security Constituent Group Listserv
> >> [mailto:SECURITY () LISTSERV EDUCAUSE EDU] On Behalf Of King, Ronald A.
> >> Sent: Wednesday, September 16, 2009 1:20 PM
> >> To: SECURITY () LISTSERV EDUCAUSE EDU
> >> Subject: [SECURITY] Local Admin Accounts
> >>
> >>
> >>
> >> I would like to inquire as to what other Universities are doing with
> >> regard to local admin accounts in Windows domain.  We are
> contemplating
> >> removing or disabling local administrator accounts across the board
> and
> >> use a Workstation Administrators group in Active Directory.
> >>
> >>
> >>
> >> 1.       Has anyone disabled the local Administrator account?
> >>
> >> 2.       How do you handle when a machine can no longer talk to the
> >> network or domain, whether a hardware failure or lost trust?
> >>
> >> 3.       If a machine loses its trust with the domain, what cause
> this?
> >>
> >> 4.       Is there a method of creating a unique password for each
> >> machine for the administrator account, or someway of not having to
> give
> >> out one password that gives someone access to anything and
> everything?
> >>
> >> 5.       Any other advice?
> >>
> >>
> >>
> >> Ronald King
> >>
> >> Security Engineer
> >>
> >> Norfolk State University
> >>
> >> Marie V. McDemmond Center for Applied Research
> >>
> >> Suite 401
> >>
> >> 700 Park Ave.
> >>
> >> Norfolk, Virginia  23504
> >>
> >> Phone:  757-823-3918
> >>
> >> Fax: 757-823-2128
> >>
> >> Email: raking () nsu edu
> >>
> >> http://security.nsu.edu
> >>
> >>