Re: local windows accounts

[Ralph Durkee <rd () rd1 net>]

For the "credential compartmentalization" I would say it doesn't apply
well to local windows account.  The credential compartmentalization
would be the opposite of single-sign-on, the concept would be to have
different account and passwords for  systems with different very
purposes and very different risk profiles.    So for example firewall
administrative accounts should NOT be same the regular user account or
email accounts. 

-- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GCIA, GPEN
Principal Security Consultant


On 5/20/2011 4:39 PM, craig bowser wrote:
> BTW, WTH is "credential compartmentalization"????
>
> o_O
>
> Craig L Bowser
> ____________________________
>
> This email is measured by size.  Bits and bytes may have settled
> during transport.
>
>
>
> On Fri, May 20, 2011 at 4:39 PM, craig bowser <reswob10 () gmail com
> <mailto:reswob10 () gmail com>> wrote:
>
>     make sure they are not in the local admin group.
>
>
>     Craig L Bowser
>     ____________________________
>
>     This email is measured by size.  Bits and bytes may have settled
>     during transport.
>
>
>
>     On Fri, May 20, 2011 at 2:06 PM, Matthew Perry <mlperry () gmail com
>     <mailto:mlperry () gmail com>> wrote:
>
>         "personal preference and credential compartmentalization" was the
>         answer I got.  My issue is getting management to back me right
>         now.
>         Also is there a group policy setting to keep users from
>         creating local
>         accounts?
>
>         On Friday, May 20, 2011, Joel Esler <joel.esler () me com
>         <mailto:joel.esler () me com>> wrote:
>         > Ask them why.  Then report back.  Most likely they don't
>         need what they are asking.
>         >
>         > On May 20, 2011, at 1:24 PM, Matthew Perry wrote:
>         >
>         >> I have a few users who insist that they need a local
>         account on their domain laptops.  I am trying to explain to
>         them that their password will cache and allow them to login
>         while not on the network.  It also looks like local accounts
>         bypass a lot of our group policy rules that we have put in
>         place and I do not want to have to manage local policies as
>         well.  Can anyone give me some more good reasons why it is bad
>         to use a local account instead of a domain account.
>         >>
>         >> Thanks!
>         >>
>         >> --
>         >> Matthew Perry
>         >> _______________________________________________
>         >> Pauldotcom mailing list
>         >> Pauldotcom () mail pauldotcom com
>         <mailto:Pauldotcom () mail pauldotcom com>
>         >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>         >> Main Web Site: http://pauldotcom.com
>         >
>         > _______________________________________________
>         > Pauldotcom mailing list
>         > Pauldotcom () mail pauldotcom com
>         <mailto:Pauldotcom () mail pauldotcom com>
>         > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>         > Main Web Site: http://pauldotcom.com
>         >
>
>         --
>         Matthew Perry
>         _______________________________________________
>         Pauldotcom mailing list
>         Pauldotcom () mail pauldotcom com
>         <mailto:Pauldotcom () mail pauldotcom com>
>         http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
>         Main Web Site: http://pauldotcom.com
>
>
>
>
> _______________________________________________
> Pauldotcom mailing list
> Pauldotcom () mail pauldotcom com
> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
> Main Web Site: http://pauldotcom.com
_______________________________________________
Pauldotcom mailing list
Pauldotcom () mail pauldotcom com
http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom
Main Web Site: http://pauldotcom.com