General discussion

  • Creator
    Topic
  • #2244424

    Administrator Password – to tell or not to tell?

    Locked

    by fruitbat83 ·

    I am the only IT person in our organisation (25 staff). Obviously, I know the Administrator password but no one else does. In an emergency where someone had to use the Administrator password (for example to gain access to the Server) I have placed the password in a sealed envelope in the Finance fireproof Safe.

    I am currently under pressure by the Head of Finance (who is my immediate boss) to tell someone else the Administrator password. I maintain that as it is accessible in the Safe I need not tell someone the password.

    I am resisting because all the PCs are locked down (users cannot install anything, change anything etc) and if someone knew the Administrator password, they could install whatever they damn well felt like, which is why the machines are locked down. I want to know what people want installing and why they feel they need it installing.

    My boss wishes me to inform just one member of the Senior Managers who “knows about IT”. I know this particular person and feel that armed with the Admin Password she will seek to install software without my agreement, as happened before – she found the old password out and was secretly installing software which I knew nothing about. When I found out she knew the password, I changed it and didn’t tell her, but placed it in the safe.

    I feel that as we’re forbidden to tell each other our own logon passwords by Company Policy I shouldn’t be forced to hand out the Admin password willy-nilly, when using it can have massive implications on the system. If I agree to tell this one person, someone else might come along with a gripe that they also need the password and before I know it everyone will be using it.
    I feel that there is no solid reason for this lady to have the password until she really, really needs it, and then if I’m not there to assist, she can get it from the safe – why does she need to know it all the time?

    My boss argues I’m being a “control freak” about this – but it’s me that will have to fix the PCs when one of our more dopey employees installs something riddled with spyware.

    What do you think? What are your own policies regarding the administrator password in your organisation?

All Comments

  • Author
    Replies
    • #2553175

      Absolutely Not

      by cmiller5400 ·

      In reply to Administrator Password – to tell or not to tell?

      What you have done is acceptable. If they need the password for some GOOD reason, it is available. That password should not be spread around or told to someone who is not administering the network.

    • #2553171

      Do not give it out under any circumstances…. unless.

      by locrian_lyric ·

      In reply to Administrator Password – to tell or not to tell?

      You go the following route:

      Bring your boss a document that says.

      “I hereby accept all responsibility for any damage that giving out the Admin password to (name of schnook). I understand that in so doing, I am exposing the company to risks from spyware, malware, trojans, viruses, and hacker threats. I understand that (name of schnook) has had this information in the past and has used it to circumvent existing IT policy and understand that (schnook) is likely to do it again. Therefore, I accept full responsibility and will hold harmless (fruitbat83) from any disciplinary action should any of the above risks, and any unforseen ones, come to fruition”

      See if he signs it.

      • #2555450

        While that is cute

        by jdclyde ·

        In reply to Do not give it out under any circumstances…. unless.

        it could backfire.

        I would bring this up in a meeting with the owner and all of the managers.

        Make damn sure that the “no unauthorized software” is COMPANY policy and not just something you decided.

        Ask them to explain why your having the password readily available upon an emergency is not sufficient and have them supply an example of why this particular user should know the password.

        I would at that time point out that she has knowingly abused that information before.

        Of course, if this all comes down to it being YOUR policy about locking the systems down and no unauthorized software, you might be showing them that you are the IT Nazi, and they will work to replace you ASAP. I would if that was the case.

        • #2555386

          Company Policy

          by fruitbat83 ·

          In reply to While that is cute

          We had a problem in the past with users installing stuff themselves and we ended up in a right mess.

          It was agreed at Board level (in the Use of ICT Policy) that the machines be locked down mainly because it was taking up so much time sorting the PCs out, loss of productivity etc.

        • #2801752

          nfgngfmmsdgkfgbdsbjsdbger…………………………kkkkkkkkkkkkkkkkkkkk

          by irene-martini ·

          In reply to While that is cute

          fdhhtkulfmsnb/bbfsdbvdkjgf/ahsdjghfgmsdbfgs fh.wFJBFSD SGFSEVGFWJ GF KEHB GFJKAG G JWH G KEGFGHJ EW RG TR YRHJWEGEWWEJ EERTERTER

        • #2801733

          I hate it when my cat walks on the keyboard.

          by charliespencer ·

          In reply to nfgngfmmsdgkfgbdsbjsdbger…………………………kkkkkkkkkkkkkkkkkkkk

          /\_/\
          (o o)
          =Y=

    • #2555468

      Rename the Admin account.

      by rfink ·

      In reply to Administrator Password – to tell or not to tell?

      Create a dummy account called “Administrator” with no rights. Give out the password to that account (under duress of course) The real admin account remains hidden. If someone tries to do something behind your back, he won’t be able to.

      If a situation should arise where the true admin password is needed the account and password is in the safe.

      BTW, who controls the Finance safe? I would think that the “Head of Finance” could help himself whenever he wanted it.

    • #2555467

      You are in the right. I like Locrian_Lyric’s answer too

      by ic-it ·

      In reply to Administrator Password – to tell or not to tell?

      We do the same thing here. I am the only one locally that has the admin passwords (Domain Admins have access of course).
      All my server and workstation passwords are in a sealed envelope and the safe is accessable only by a few folks. Anytime the safe is open the envelope is checked and initials are kept on who opened and secured the safe (time, date).
      The only reason for her needing to know in a none emergency situation is to circumvent policies.

    • #2555449

      Separate admin account for her.

      by charliespencer ·

      In reply to Administrator Password – to tell or not to tell?

      Give the troublesome user a second account for network administration. Put this account in the Domain Administrators global group. Give this account a password different from the p/w for the Admin account. This will allow her to work on the network as necessary, and any changes she makes will be identified with her admin username and distinguishable from changes you make as Administrator. Make sure she knows this you’ll be able to tell who did what. (Okay, so you’d have to turn auditing on for this to actually work, but they don’t need to know that.)

      Now remove the “Domain Admins” global group from the local Administrators group on her machine, and add your own. Now she’ll have domain admin privileges in an emergency but be unable to putz up her own machine. You can still service hers as needed.

      Everyone in our department that needs domain admin access has an account separate from both the Administrator account and from their ‘regular user’ account.

      • #2555365

        Excellent Suggestion – Palmetto

        by smallbiz-techwiz ·

        In reply to Separate admin account for her.

        This is probably the best technical solution, but you’ll still have to deal with the difference of opinion between you and your boss the next time this comes up. It’s important to have clear objectives and policies for everyone to adhere to so you are working together on these issues. You don’t want to be fired because you couldn’t work well with others. It won’t matter who was wrong or who was right if you end up on the street.

    • #2555427

      Stand your ground

      by robo_dev ·

      In reply to Administrator Password – to tell or not to tell?

      Do you have an audit function in your organization? If so, get their take on this situation.

      Restricting administrative access to mission-critical systems is a basic audit control to prevent everything from data-loss to fraud.

      Having the administrative password could allow the audit-trail for your financial applications to get altered or destroyed, could allow a fraud to be perpetrated without detection, and allow financial information to be altered or destroyed.

      Here in the states we have this wonderful thing called the Sarbanes-Oxley Act (SOX). And while we mostly hate SOX, it’s sometimes a way for IT folks to get what they want “well, it could have SOX implications”

    • #2555412

      There is a alternative

      by computerd}} ·

      In reply to Administrator Password – to tell or not to tell?

      Instead of giving them the Domain Admin password, just give them a local admin password with limited access that way they will be happy to do somethings and not screw up your network. Or, just do this to her computer.

      http://www.instructables.com/id/Scare-your-friends-with-a-fake-error/

    • #2555405

      “Senior Managers who “knows about IT”

      by hoagiebp ·

      In reply to Administrator Password – to tell or not to tell?

      I always love this argument. If they “know about IT” why are you the one responsible for IT?
      Can you get access to all of this Sr. Manager’s files and work? Say, for example, she is a manager in accounting. You “know about accounting” don’t you? You can balance your checkbook, right? Does this make you qualified or the best person to be looking into the nitty-gritty of the stuff she is responsible for.

      The reasons others have stated are all valid reasons. Some of their solutions are great, too, but unless you can convince your manager of the seriousness of sharing out the Admin Password, you are going to need to bump this up over his head.

    • #2555397

      well where’s the buck stop ?

      by cg it ·

      In reply to Administrator Password – to tell or not to tell?

      if your boss says give it to someone else, have him put that in writing of who to give it to.

      make an admin account for the person who your boss wants to have admin privileges.

      so if problems arise, it’s their account that was used and you have a piece of paper that says, your boss told you to do it.

      that way the buck stops at his desk. any problems that arises it’s his problem not your problem and it’s documented.

    • #2555371

      Who is responsible?

      by smallbiz-techwiz ·

      In reply to Administrator Password – to tell or not to tell?

      I understand the “feelings” involved. You are trying to make your job easier through strict control. But, from a legal perspective, you cannot lose sight of the big picture here. Company assets include hardware, software, and intellectual property. It’s not yours to control. Second, you’ve got to CYA by having your boss sign something that says network security is NOT your responsibility. Then, give the password to whomever your boss tells you to and pull your personal feelings out of it.

      But IF your boss maintains that network security IS your responsibility, you are in the classic IT paradox of “responsibility with no authority”. I’ve been there, and I know it sucks. I had to grow a pair, put my job on the line, and insist that I would not be responsible for anything I could not have control over. The problem with that posture is, you also have to concede that business needs can suffer when the IT guy has everything locked down. They can’t sacrifice productivity for the sake of security. So, you have to find common ground and compromise. It’s difficult sometimes for us technical guys to also excel in diplomacy and tact. But, unless you have a written IT policy that dictates how these matters are to be handled, you’ll have to negotiate one that balances the needs of the users with your responsibility to manage. Then, have it put down in writing so no one forgets what you both agreed to.

    • #2555344

      IT’s The IT LAW, DONT GIVE IT OUT

      by kdaugharty5 ·

      In reply to Administrator Password – to tell or not to tell?

      I use to work at a place were the supervisior password got out, and you know what kind of mess that called, can you imagine if the admin pass got out, total koas.
      WATCH OUT KNOW ADMIN PASSWORD FOR SALE(LOL)

    • #2555333

      It’s not your password

      by tony hopkinson ·

      In reply to Administrator Password – to tell or not to tell?

      So if you get authorisation, to release it to Tom Dick Or Harry.
      Then create admin users Tom Dick and Harry and On Y Va.

      If osmeone happens to be a dick, then this will be plainly obvious….

      Admin isn’t a user, it’s a privilege set….

    • #2554899

      Be The IT Leader in Your Company…

      by jim359 ·

      In reply to Administrator Password – to tell or not to tell?

      This isn’t about you. Instead it’s about your company’s policy on owning and maintaining a computer network.

      Your opportunity here is to be the IT leader. Part of that is you must establish policies and procedures that accomplish the security and controls that are necessary, but also you must provide ways for the business to get what they need (features, resources, security… solutions!).

      Ask to meet with your boss on this topic.

      In this meeting plan to start out by making your business case for two things: a) for why user desktops are locked down; b) for why the admin password must be contained; c) present a process for users to get installed the things they need to do their jobs. That’s what I assume is your bosses ultimate goal. He’s just chosen the easiest route to that goal. You’ve got to ask yourself why that’s the easiest route for your boss.

      Outline how users can request additional resources. Make up a simple process that should work. Your boss, and others, will probably make some input into that policy. And getting buy-in from the company here is HUGE! It means you win by shear leadership.

      In my view the business side of things has to be part of the equation of how to manage the network. And IT standards must be involved, as well. It’s your job, it sounds, to establish those IT standards. In a small company this all sounds pretty Fortune 500-ish.

      In this meeting you’re going to find out what your boss really wants, and why. Don’t miss this opportunity to be a leader and solution finder for your company. Or, you can continue to be seen as an obstacle that has to be overcome (my assumption). So find a way to serve the business.

      But first you have to come to the conclusion that the business needs what it needs whether you like what it needs or not. Your job, if I may be so bold as to presume to know, is to serve the business needs. Am I right?

    • #2801740

      What to do….

      by the ‘g-man.’ ·

      In reply to Administrator Password – to tell or not to tell?

      You give it out with fully documented evidence that ‘they told you to do so’ the fact that you dissagreed but as ‘they are the BOSS’ so you ‘have to obide’. You then leave it there and when the fan is hit produce your fully documented evidence to ensure it is you who keeps your job.

      • #2801723

        Nope, I don’t agree. Here’s why…

        by cmiller5400 ·

        In reply to What to do….

        There is NO reason for them to have it. If they insist on another person having the admin password, then create them an account that has admin access and explain that it has the same rights as the admin account, and that you can better audit who does what that way.

        You should not be using the Administrator account anyway. It should only be used for emergency’s.

        EDIT: Besides, if you get run over by a bus, they have access to it in the safe. I hope it is a dual control safe……….

        • #2802912

          If the BOSS wants it

          by the ‘g-man.’ ·

          In reply to Nope, I don’t agree. Here’s why…

          & does not listen to reason, the BOSS gets
          it. That’s why they are the BOSS. If it
          gets abused the BOSS takes the fall also.

        • #2802876

          Not in any sane company…

          by cmiller5400 ·

          In reply to If the BOSS wants it

          In any company that actually follows best practices, that user is NEVER used except for emergency cases where the other admin accounts do not work. And the password should only be accessible to as few people as possible.

          Administrator access is just a privilege set. It can be granted to any domain account. There is NO need for the BOSS to have it just because they want it, they actually should have an actual NEED for it before they are told it. This is just them not knowing the difference between the two. If explained to them correctly, there is no need to divulge the “Administrator” password. It should be kept under dual control for when there is no other way to mange the domain.

        • #2802746

          Contradiction

          by the ‘g-man.’ ·

          In reply to Not in any sane company…

          You say:

          “That user is NEVER used except for emergency cases where the other admin accounts do not work.”

          Then say:

          “Administrator access is just a privilege set.”

          Which is it then as to me they are all admin accounts if the privilege has been set, what difference does the name of the acount make?

        • #2782366

          Well one difference is…

          by cmiller5400 ·

          In reply to Contradiction

          It is a permission set, except for the fact that the Administrator account can not be deleted because you can’t delete built in accounts, but you can delete your account by mistake. The name of the account makes no difference because it is SID based. You could name the account “blahblah123454321” and it would not care.

          Again as I said, it is more of a best practice to not use it; and for auditing purposes as well.

    • #2802887

      Only AUTHORIZED ADMINSTRATORS need the password.

      by 1bn0 ·

      In reply to Administrator Password – to tell or not to tell?

      I work for a manufacturing company with 600 employees over 4 locations with 2 domains.

      The Administrator password is NOT KNOWN by everyone in the IT group let alone anyone outside. It IS kept in the company safe where QUALIFIED personel can get access in case of emergency circumstances where an authorized domain admin is not available. Hasn’t happened yet but the idea is to be prepared, just in case.

      If the Company Controller wants a Tax Table program installed on their computer, a Domain Admin has to install it.

      Locking down your workstations was done because of a previous problem. A policy was implemented to try to prevent he isue from repeating.

      Request access to cut your own pay cheque in exchange for the Admin password. Maybe then they will begin to understand the concept of Authorized Access.

Viewing 14 reply threads