IT Employment·20,072 discussions

Who Knows the Admin. Passwords in your IT Dept.?

Locked

I work for a small company in which we have 5 IT staff members supporting about 100 users. I’m curious what the norm is out there for securing the administrator passwords? Does everyone in your IT department have access to the administrator passwords, or are they restricted to certain individuals? Assuming they are restricted to certain individuals, how do you give administrative privledges to those individuals who don’t know the passwords and need to do something that requires elevated priveledges?

Topic

Keep it as tight as possible

In reply to Who Knows the Admin. Passwords in your IT Dept.?

Personally, I prefer to keep the administrator password as secret as possible. If there are people that need admin priveleges, just add them to the appropriate (local/domain) admin groups, and go from there.

Some of the bigger problems with people knowing/using the admin password are:
1). They leave on bad terms (there should be contigency plans in place to account for this…but nothing is 100% foolproof)
2). Some people tend to use the administrator account when troubleshooting (for example, if you’re testing out a user’s problem with logging onto Citrix, and you use the administrator account, what happens isn’t necessarily reflective of what the user is experiencing)
3). Some people may use the administrator account to run services, such as SQL (someone uses the admin account to run serviuce…someone else leaves the team, forcing a password change on that account…service now fails…if this isn’t properly documented, it will come as an unpleasant surprise)

I find it better to start off as restrictive as possible, and loosen the reigns a little when needed, than giving people too much access, and trying to get the horses back into the barn, so to speak.

Reply To: Who Knows the Admin. Passwords in your IT Dept.?

In reply to Keep it as tight as possible

I can account to 3) I have spent phenomenal amounts of time attempting to fix all the services and related startup problems having changed the password. I was handed a totally undocumented network set up 2 admins before me. You can imagine how much I would stress this issue 🙂

Local Admin works for me.

In reply to Keep it as tight as possible

Maybe you are talking about a much larger company than I work for. We have about a 100 users. I am the IT dept., and I find that the only thing I run into is where people need administrative priveleges to do something on their system. I then put them in the administrator group on their computer only. I would think that for IT departments that have a few people in them that you could set them up with an administrator account just for them, and then when they leave the company you simply disable their account.

We have a similar process

In reply to Local Admin works for me.

All our users are restricted accounts.
We run into problems with remote laptop users where they need to install printers or approved apps and we can’t get to their machine. Our solution was to write a little app which adds the user to the admin group for their next login session only. Basically the user phones us and we can give them a code for the app valid for one hour. They run it, type the code, log out then in again and they have admin rights. The next time they login the rights have gone.
We haven’t seen much stuff that actually needs admin rights to run. Usually its just a case of working out what access is needed to the registry/filesystem and using group policy to change permissions on just the required bits.

Administrators only

In reply to We have a similar process

I work in a Secondary school as senior I.T technician, out of 250 staff only 4 of us have administration passwords. staff are set up as local administrators on their laptops using their own username and password and access network drives with their network username and password which gives them the same restrictions as if they had logged on to the network. restrictions controlled with log on scripts and security groups set up in active directory. as for printers, we run a script at log on which installs the correct printer for students and staff depending on what computer they log on to and its location, also controlled by location in active directory.

Unfortunately

In reply to Administrators only

this won’t work for local printers 🙂

Can I get a copy of that file

In reply to We have a similar process

Can I get a copy of that file, sounds like a great way to do admin rights.

Can you post…

In reply to We have a similar process

where we can get this app? It sounds quite usefull. Either that, or can you email it to me?

vbs printer adding script

In reply to Can you post…

VBS Printer Adding Script

set wshnetwork = createobject(“wscript.network”)
name = wshnetwork.computername
‘wscript.echo “your computer name is ” & name

set objcomp = GetObject(“LDAP://cn=” & name & “,OU=Curriculum Desktops,OU=???? Computers,dc=?????,dc=???”)
location = objcomp.Get(“Location”)

printer = “none”

if location = “room name” then
printer = “\\print server name\printer name”

elseif location = “room name” then
printer = “\\print server name\printer name”

elseif location = “room name” then
printer = “\\print server name\printer name”

* repeat the above for each room and printer. Names must be correct as in your AD and network printer name.

else
wscript.echo “Your location is not known! You are not connected to a printer!”

End If

if (not printer = “none”) then
Set WshNetwork = CreateObject(“WScript.Network”)
WshNetwork.AddWindowsPrinterConnection printer
WshNetwork.SetDefaultPrinter printer
‘wscript.echo “In If Statement”

else

end if

vbs printer adding script

In reply to vbs printer adding script

Hi,

I was trying to use your very useful script into our AD structure and I am getting and error that I don’t seem to be able to overcome.

The error is as follows:

C:\utils\scripts\dynamic_printer.vbs(7, 1) (null): There is no such object on the server.

ANy suggestions?

scripts

In reply to vbs printer adding script

I will look on our system to see if I can find the dynamic printer script.

App

In reply to We have a similar process

Is there any chance you could perhaps take 5 minutes out of your very busy day to email me this fantastic application to andrew.booth@o-s-c.net

Regards

Andrew G. Booth

Not agree

In reply to Local Admin works for me.

I think is most secure to give them the power user on they computer. I never give for anyone the administrator rights, not even on them computer. IS DANGEROUS!!!

Totally agree

In reply to Keep it as tight as possible

totally agree with the points which follow the “Least to Know” Rule. An additional thing is you may need to implement one-time password if the admin password is release to others, i.e. change at once when job is finished.

a different account for each admin

In reply to Keep it as tight as possible

This is the way i would advocate

the main admin password should be kept very secret (locked away in a safe somewhere)

each or your techies that needs admin rights should have thier own admin account (seperate from thier normal user account)

that way you have better audit trail of which admin made any changes and thier admin account can be disabled when they leave.

undoubtedly there will be other accounts such as service accounts etc that your techies will need to know, keep all these documented in a single place and have a policy and procedure for changing them as soon as someone leaves

Leaving on bad terms

In reply to Keep it as tight as possible

1). They leave on bad terms (there should be contigency plans in place to account for this…but nothing is 100% foolproof)

Some years back, I received a phone call from a former employer (whom I had left on very good terms). It seems that an employee had been hired who expected to be in charge … of course, he wasn’t. So after about three months, one fine day, he simply stopped showing up at work. In looking into what he had done before leaving, they found that he had changed the administrative/root password on every router, switch, and Internet server in the organization. They wanted my help getting back into their systems.

Bad things DO happen. If this person, who was a fairly new employee, had not be trusted with the keys to the world, he could not have changed all the locks. Keep the admin password list tight is absolutely correct!

Lock it Down

In reply to Keep it as tight as possible

The tighter the security the better. I use temp passwords based on grops and project assignments. As the Net Admin I am the only one with the master password. Setting up different admin groups an asigning project passwords keeps security tight. All Admin groups are issued new passowords every 45 days and permissions are kept as tight as possible for each specific group. Everthing should be on a need to know basis and the way I see it the only person that needs to know everything is the Network Administrator. Network security and redundncy the number one priorties of the Net Admin. Programs can be repaired or replaced but keeping the data safe is job one.

Admin passwords

In reply to Who Knows the Admin. Passwords in your IT Dept.?

You’re lucky, we have 2000 users and 2 IT Staff!!
The administrator account has had all rights removed and a new user created with full administrator rights. Only 3 people know the password and that is locked in an off-site safe in a double sealed envelope. Paranoid I may be but it’s worked so far:-)

Agree-Admin Account Disable

In reply to Admin passwords

Admin Account should be disabled (keeps hackers and other malware issue chances down – one more thing they have to guess since they cannot use the Administrator account by default. 1st before disable be sure to change its password – store in a very secure area (safe etc – allow business owner or top managers to know the location but not the password just in case you are not contactable). If it ever is used then change it – re-disable and re-record and re-store.
Each person that requires admin rights to do something should have 2 accounts – thier nomal job function account (email, general group accesses, personal file spaces etc). A second account with access only to the admin rights they require to do thier admin work (we do not add them to any of the general group accesses for daily work). This requires either a seperate computer or to logout then back in (or run as) to achieve an administrator activity then they have to logout to return to normal activities.
I also agree with later statements that applications and services requiring Admin rights to run properly should also have thier own accounts set up and passwords made VERY tough (the longer and more random the better – record these passwords in the admin notes for the service or application that way changes to the admin account or userbasedadmin accounts do not effect running applications.

It’s not a problem

In reply to Who Knows the Admin. Passwords in your IT Dept.?

We are giving admin privilages only to the top management. What ewrror could happen if we do so. Anyway they know the organisarion and its culture. I feel that there will not be any violation if we do so.

the problem with that is

In reply to It’s not a problem

that most top management are computer illiterate enough to seriously damage the system / network and not know they are doing so.

some problems are unimaginable

In reply to It’s not a problem

I was not given a choice on whether or not to give the CFO of my company the admin password. a week later I find that this person gave this information to his nefew, who in turn changed the CFO’s password to his workstation, and continue’s to have access to a company network that he does not even work for. Our CEO only know’s how to play solitaire and refuses to use company email. If you need to get him information you have to print it out and hand deliver it. This ignorance helps me sometimes but mostly causes me unimaginable headache’s!

mis-organization

In reply to some problems are unimaginable

if somebody can gain access to the network simply changing his workstation password means you are using workgroup modeld network, not even NT domain…
maybe you could improve your network to avoid a workstation to gain access !

What I do

In reply to Who Knows the Admin. Passwords in your IT Dept.?

We have 2 admins supporting ~75 users. The dept. manager also knows the password, but because she is the only paid staff member. All 3 of us know the passwords and only the three of us know it. Anyone who needs to install anything with elevated priveledges can’t. We install it a admins (after they fill out the paperwork of course). For us this has never failed yet, and works out perfectly fine.

Developing a system

In reply to Who Knows the Admin. Passwords in your IT Dept.?

In our group we have two typical scenarios – one for windows machines and one for Linux machines.

For windows machines – there is the local admin password for the box as well as a bios password. Those typically aren’t used unless absolutely necesssary. For ordinary functions each admin has two accounts – one non-privileged account and one administative account that is a member of the administrator group.

For Linux machines – there is the root account and the bios password – again only used if absolutely necessary. For ordinary functions each admin again has two accounts – one privileged and one superuser – privileges granted to the super user account via sudo. Ordinary users who need to do select ‘administrative’ things on particular boxes can be granted specific privileges with sudo.

All ‘group level’ passwords (accounts, routers, databases, bios, etc.) are kept in a password protected OpenOffice.org document (AES encrypted).

Keep Accountability

In reply to Who Knows the Admin. Passwords in your IT Dept.?

You need to maintain accountability, so keep any user-id that has any power down to a minimum of personnel. When I was employed by a comparitively small organization, I kept the administrative password for any platform and/or network to a maximum of two people. Where applicable, I built separate user-ids that had administrative privileges, so I could maintain accoutntability. I did maintain a list of the powerful user-ids for each platform and network in a hand written document, sealed the document in a confidential envelope with the date and my signature over the seal and stored the document in the Comptroller’s safe. Periodically, I would check the envelop to ensure that no one gained acces.
Any group or default user-id needs to be protected. Maintaining good accountability keep honest folks honest and restricts unauthorized use of organizational resources.

Generating rememberable pseudo random passwords

In reply to Who Knows the Admin. Passwords in your IT Dept.?

To generate good passwords for admins and users we utilize a set of simple perl scripts that build on an NSA developed pattern.

upper or lower case letter + lower case vowel + lower case consanant + sometimes another lower case letter + number + sometimes another number+ symbol + upper or lower case letter + lower case vowel + lower case consanant + sometimes another lower case letter

This generates passwords that aren’t purely random – so not as strong as purely random passwords – but still very tough to break because they are randomly anywhere from 8 to 11 characters in length.

There are also variations with leading numbers or symbols or trailing numbers or symbols or both.

The key is that it produces a password with pronouncable first and last parts. The NSA study determined these are much easier for users to remember.

hardware password aid

In reply to Who Knows the Admin. Passwords in your IT Dept.?

In addition to our other measures most of our admins and some of our users utilize a hardware fob ‘password keeper’ – http://www.mandylionlabs.com (we’re not affiliated in any way with Mandylion Labs by the way)

We use the enterprise version – so we’ve set up couple PC’s as ‘kiosks’ where users can program the fobs. There is also a personal version that I’ve used myself for a couple years – I think they are available at thinkgeek.com

The fobs meet all of the NSA rules for secure password storage. You ‘authenticate’ yourself to the token or fob by a physical pattern of key presses. They store 50 sets of account info – and can even generate passwords themselves according to any pattern you want. We’ve had very good luck with these.

On the UNIX side…

In reply to Who Knows the Admin. Passwords in your IT Dept.?

Only the people doing the oncall service know the root password, but we can only use it in emergencies (i.e. our personal account is locked) and only through the physical console. For daily tasks we use our personal accounts, which are allowed to use sudo command.

On the windows side I personally think that the Administrator account use should be avoided whenever possible by seting up privileged accounts as needed.

cheers,

Xavier.

Sharing an account i= no accountability

In reply to Who Knows the Admin. Passwords in your IT Dept.?

I have found it’s better to give IT staff administrative rights as needed and not giving the admin password to everyone. I have also had trouble in the past with apps such as backup software or antivirus when I change the admin password. Things seem to work smoother when the domain admin account is left alone and only used when necessary. Assign individuals to the domain administrators group if needed. If you are using auditing, you have some knowledge of who is doing what. There are many other groups as well backup operators, print, etc.. that may fit better for and emp. than just giving them admin rights.

Different accounts

In reply to Who Knows the Admin. Passwords in your IT Dept.?

All of my IT staffers have 2 login accounts. One with general user priveliges and one with the proper level of administrative access for their job (example, my DB admins’ elevated accounts are not in the group with admin control of all servers) determined by active directory groups membership.

The general user account is for logging in to their workstations, the admin is for when they need elevated privilege on a server.

It’s not a good practice to create one “administrator” account for the whole environment, for the exact reason you get into here. Who do you give the account password to, and what happens when people who aren’t supposed to have it get it? If everyone has a specific account that they control that gives them the rights to do their job, not only does it get around the single password issue, you also have a means to log who’s doing what.

It is also a very good idea to change the local administrator to have no rights to your servers and create a differently named account to replace the local administrator account. And don’t give all your servers the same local password. We have over 300 servers in my site and each one has a different password. Once the server is built and ready to deploy, the Security team (me) changes the admin password and prints the password out on a business card size sheet. They we put that in a small envelope and laminate the whole thing shut. That gets attached to the front of the server with the asset tag sticker.

In case of emergency, you cut it open for the local admin password. In the two years I’ve been doing it, only once has it been needed.

A programmer approach. Subclass !

In reply to Who Knows the Admin. Passwords in your IT Dept.?

I’m in account as network and system admin to a small firm. I have in charge 20 internal users, and about the same ammount external external developers.

In my opinion a good password administration starts from a good network architecture design.
Recently I’ve designed the new AD structure (but the approac applies also to Unix, not only to microsoft)
Here are my rules… let me know what do you think about it

1) admin is one. it is root, so there cannot be more than one
2) create an xxxAdmin and xxxSPV (for example Admin) for each department.
3) User Group Policy to distribute priviledges, or better to add xxxAdmin and xxxSPV respectiely to Administrators groups and PowerUsers groups to machine assigned to the departmens
4) Never use personal or admin password for services. better create a dedicated account and trace it in a document

rule one grants NOONE will never know the admin password. this is the golden rule. Actually in the firm I’m emplyed three people know about the admin password. I, the owner (who takes note of it on a paper in the safe), and the CEO. this is actually for safety reason, If I should fall sick, there are other people who can grant access to someone else.

Rules number two grants that who really need to be in charge of cerain roles and priviledges can be easily and certainly spotted.

rule number three grants two more important aspects. the people who need to be in charge will be assigned to the roles on their machines, but the role will be assigned by a network rule (that is, assigned by administrator). even if they mess aroung with settings on the machine, the right assignment will be reset by the network policy each rebooting. this grants also that you can recover a “safe” condition even if a delegated administrator mess around with server local groups.

the rule 4 grants that every password changing will not affect system functionality. Anyway, if something goes wrong after a password changing, thanks to rules 2 and 3 you will always know who is in charge of the server.

this is for Microsoft , and requires the use of Network and Active Directory Policies.
as far as I know about unix the rules are almost the same, except that for distribution across the network. I do no have much experience, but i’ve found a lot of packages that can spread packages installation and copy users and groups on remote Unix (and linux) stations.

Hope you find this note usefull, let me know every consideration about this.

Write the Policy

In reply to Who Knows the Admin. Passwords in your IT Dept.?

Whatever decisions you choose about admin passwords, make sure you write them down as a policy and don’t just keep them in your head.

In addition to what has been mentioned, also define a contingency plan as part of your policy. I would recommend that the default admin account name and password (you did remember to change that one) are written down and secured with at least one person outside of day-to-day operations, presumably in senior management. This is critical in case of key staff unavailability or amnesia.

There are lots of ways to address the issue, the key is to write it down so that everyone knows what the approach is and still remebers it a year from now.

Unfortunatly…

In reply to Who Knows the Admin. Passwords in your IT Dept.?

All 12 of our techs know the local admin password and thier accounts have admin rights on the desktops. We are a little more restricve on member servers, and only some have domain admin rights. We rename the Administrator account on all machines and are working on something to ramdomly change all the admin passwords. We use a GPO to add a domain group to the local administrators group. We can then grant anyone admin rights by adding them to this group when required.

Work at a large company

In reply to Who Knows the Admin. Passwords in your IT Dept.?

I contract at a very large company where the policies for passwords are very well-defined, much more so than any other place I’ve been. I don’t know who holds Admin passwords and there’s not only no benefit to know, even trying to find out would most likely raise red flags about my motives. Anybody who needs Admin permissions here is given access via groups.

At my last position, the IS Director and a few key IS staff members, including yours truly, knew Admin passwords. Those of us who needed Admin permissions were given access via creation of Domain Admin accounts. I think using groups is a much better way to go.

Using Win 2003 server helps

In reply to Who Knows the Admin. Passwords in your IT Dept.?

We basically only have 1 known password (and it is at the highest level – a duplicate of the administrator user id). It resides at the Network administrator’s position. Certain people are authorized to make specific other changes and their accounts are set accordingly with the least authority required to do their job.

All security is handled by using policy groups and adding memberships to the user ID when a user needs more privlidges. If a user forgets their password, we only reset to a new password which they must change on initial login. No one knows any other password but their own. The administrator password is not used and available only for the Network administrator to use when there appears to be a problem with the account set up for administrative purposes.

The Administrator user ID’s password is in a sealed envelope in my desk. If the envelope is opened, somebody better have a real good reason why.

This way we know who has the capability/responsibility to make the changes and the functionality to change security resides with a position and not a specific password.

Admin Passwords in Banking environment

In reply to Who Knows the Admin. Passwords in your IT Dept.?

I work in the IT Dept. for a bank. What we have done seems to have appeased the regulators (for now anyway). We changed the “All Powerful” administrator account password, wrote it on paper, sealed it in an envelope, and placed it in a safe deposit box inside a vault that requires at least two people to get into. Most of our IT staff has other banking duties so we set them up with two user accounts: one to perform their everyday functions, and one limited admin account that can perform the needed IT admin functions. Too, we are discussing the various tools available that will allow someone to monitor when someone with an admin account logs in and (if possible) what he/she did.

5 IT for 100 users?

In reply to Who Knows the Admin. Passwords in your IT Dept.?

I work for a medium size company with 650 staff and 250 computer users with only a 2 person IT dept. How do you get 5 IT people for 100 users? The network admin password should be only for network admins. Let desktop support use local admins.

Do Your Job and Stop Crying About It

In reply to 5 IT for 100 users?

All of you know that the proper way to adminster your
subordinates is to give them each their own user account and
password.. If you can give every user an account why can’t you
give every support person an account. They are part of a group
and you can even make subgroups so that new support people
work their way into the most trusted group.
By creating a one user one password security plan you make it
easier for the password to leak and you have no idea where it
was leaked from.
With individual passwords everyone is responsible for their own
security and you can just delete them when they leave or
terminated.
I mean creating accounts and keeping your network secure IS
your job so do it and stop being so lazy. Because you will be
next bitching about being underpaid. And with the availability of
information on the web upper management that has no real idea
of your job function can read a few articles and start asking why
aren’t we doing this that or the other.

Use Groups, not Admin/password

In reply to Who Knows the Admin. Passwords in your IT Dept.?

We (3 IT staff) support 500+ systems with multiple users. We do not use Administrator login, rather, specific users are part of the Domain Admin group, and have Administrator rights to all servers/clients.

Mixed Environment

In reply to Who Knows the Admin. Passwords in your IT Dept.?

I work in a Govt agency that runs Novell NetWare for the network. (Also GroupWise, not LookOut)
We have people on XP and 2K. (Also a few on 9x in “Budget Challenged” units)
Many of the users are here in HQ, but we have many users who work in a stand alone environment. (Usually mobile laptops or at their homes.)
There is written policy stating users should not use Admin level accounts routinely.
Users are given User level accounts. For those who have a demonstrated need to have an Admin accoount (usually travellers who need to change the ISP phone number),we also generate a seperate account for them for that purpose and we give that account the same password as for their normal account. ( 1- Easier for them to remember 2- They are more likely to be protective of it)
If Micro$oft would change things so that you don’t need Admin rights to change an area code, this would minimize things drastically!!
TTFN
Paul

Quite restricted in our shop

In reply to Who Knows the Admin. Passwords in your IT Dept.?

Our IT department has 130+ employees over 2 locations with the majority of the staff at “HQ.”

Only those who work in our Desktop/LAN support group have “super user” status. Each one uses an Admin user ID unique to them beginning “super” and ending with their 3 initials.

If a user needs software installed or a new image dropped on a machine that went “belly up,” only the Desktop/LAN support tech will do it.

All of our machines use the same image. The exception being for those who need specialized software or special functionality. In those cases, those users have the additional software installed on their systems and they are given admin authority on their desktop machine ONLY. In order to be granted this status, the user must fill out an authorization form requesting the specific software which is then signed by their manager and forwarded to the Desktop/LAN support group. Aside from this, there are NO exceptions.

If I (one of the privileged few) lunch my desktop machine, I must call the HelpDesk and open a ticket to have the Desktop/LAN support tech come and restore my system (from its unique saved image). In total, there are maybe 5 of us with specialized images and Admin right on our own machines. That is it… period.

We have had no problems with this arrangement in the 10 years I’ve worked here. Everyone knows the rules and has no problem with the way things are set up. The Desktop/LAN support group manages all patch application etc. pushing systems mods out to user system remotely. It all works very well.

Using 2 User Accounts for IT Staff

In reply to Who Knows the Admin. Passwords in your IT Dept.?

It seems like many people out there have two user accounts for IT staff, one for daily usage and the other for doing tasks that require admin. privledges. For the elevated account, do you make that account part of the DOMAIN administrators group, so they can work with elevated privledges on any server/workstation, or do you create an account with local admin. privledges on each server they may work on?

seperated Privledges by Server

In reply to Using 2 User Accounts for IT Staff

We set the priveledges on the servers by Administrator Domain Groups. So we might have a location administrator group, Application Administrator group we have a large SAP application which has several servers associated so anyone in that group has admin rights to those servers only, email server group, etc.

Local Admin Account

In reply to Who Knows the Admin. Passwords in your IT Dept.?

First thing to do is the rename the local admin account (and guest acc. while you are at it) using group policy. Also, when setting up PCs use a very cryptic password – in a domain, the local account is rarely used.

marrio!

Not Too Difficult

In reply to Who Knows the Admin. Passwords in your IT Dept.?

Administrative passwords should be relegated to a primary owner and one backup only. Passwords should be forced to change at 90 days.
If the project is short term do not elevate any privs. Escort and monitor only. If the project is longer term consider priv elevation at the application level of the DEVELOPMENT or QA/TEST pre-production servers only. In any event developers should not have direct access to production systems under any circumstance.

Rename

In reply to Not Too Difficult

Rename the Administrator Acount to look like an average Joe’s account on the network, and also apply all complexitiies to the assigned password which must be kept under lock and key in a sealed envelope in a save deposit.
Use another account with all the priviledges of an Administrator for all your daily administrative chores.

Security groups

In reply to Who Knows the Admin. Passwords in your IT Dept.?

I’m not sure what network OS your are using but all you have to do is either add the user to the domain administror group (don’t recommend), the local administrator group (so they can’t mess with the server config), or setup a custom security group (recommended). You can use the power user or administrator template in forming the new security group then bump up specific rights or strip them away (depending on the template). Then by simply adding members to this group you can extend some administrative rights without unlocking the entire system.

$20 solution

In reply to Who Knows the Admin. Passwords in your IT Dept.?

To help comply with all of the regulations of Sarbanes, and…

Buy a fire safe at local store (Sam’s $20 + tax) and get a series of envelopes. Record admin IDs and passwords (ideally in seperate envelops) and have the seal of the envelopes signed by the app admin as well as an officer of the company.

Keep one key on site and one off, allow proper users the ability to get to the IDs in an emergency. Check periodically to assure that none have been opened. if they are, change them.

Over simplified, maybe, but it works.

Admin Passwords

In reply to Who Knows the Admin. Passwords in your IT Dept.?

Mschwantje… I assume you might not be reading these post after a lot of mixed responses. There is NO reason why users need local admin priviledges on their computers at work. In Windows2000, the users are set as DOMAIN USERS. On the local computers, when they log into the domain, DOMAIN USERS is not set on local security. If you want to spend 75% of your time cleaning and repairing computers, give them local admin rights. They should be installing applications on their own, (keeping the SOFTWARE LICENSE POLICE off your case). People in IT SUPPORT should be granted rights based on the tasks they perform and minimize the administrator login. Hopefully if you are using Windows, you have AD running and setting domain security.

We have this setup with local users can run programs that are installed and create folders on the local computers. With EVERYONE being a COMPUTER IT EXPERT today, if you gave them administrator rights on the computers, every peer to peer application, every IM program and EVERY game they can download would be installed. ONLY IT should be installing programs(testing in the network and manageing licenses). This also goes a GREAT WAY to stopping the spread of some viruses. Many functions need to be automated to ensure they are always up to date ( program patches and virus software ). NEVER rely on the end user to do your job. If a program requires elevated rights, then you should look at creating a script and find a way to encrypt it. BUT I am finding the programs that required local admin or power user, the latest versions do not any more. So keep an eye on that.

If this priviledge is required to write a file in the PROGRAM FILES folder add DOMAIN USERS to that app folder and give it modify rights.

If you want a system to run smooth, prevent user high priveledges…

Misreading My Post

In reply to Admin Passwords

Some of you seem to be misreading my original post. My question is not regarding regular users but members of the IT department. Everyone, including IT staff, are setup as restricted users. My question had to do with who in your IT staff knows administrator passwords and how you handle elevated privledges for those that need it but don’t know the administrator passwords.

in my company

In reply to Who Knows the Admin. Passwords in your IT Dept.?

there are 2 IT people for about 70 staff (only 30 – 50 are in the office at any one time) and about 14 servers. besides my boss and myself (the 2 IT people) all four of the directors (CIO, CFO, CEO and the managing director) know the admin password.

i understand the need for a third person to know the admin password incase the two IT staff were wiped out in a freak accident but in a small company do so many people need to know the admin password (also i think they have it writen down because they cant remeber it). none of these people beed the admin password beyond the posiblity that my boss or myself cant get there to help.

i had the idea of when we change the admin password instead of giving them the password to learn, we could give it to them in a sealed envelope of some sort (think the EAM codes in crimson tide). should i do this or seek to limit the amount of people who know the password.

You have Admins and then you have users.

In reply to Who Knows the Admin. Passwords in your IT Dept.?

In my situation we have a admin password that is used throughout the whole domain. It sounds crazy and quite frankly it is. But I had recently went to a class hosted by some high systems admins in our domain and they are trying to implament that each unit within the domain create their own admin password for computers on their network. They also let me know that the domain admin password would be changing soon. The domain admins account will still be there but we would not be able to use that account because they would be making those changes to their password.

I could not agree more with what they are trying to do. But in my work place we have people who actually handle IMO work and then we have those people who have a completely different job but are computer literate and feel they should have admin rights.

Thats BS. Users are users, and admins are admins. If they want the password they should have been a IMO instead of whatever it is they do. I dont beleive in giving the password out and if I have to go to a billion computers then so be it. Once you give out something like that all kinds of things begin to happen. You no longer have control of your network.

As far as giving elevated privilidges to those who need it we have a file server and give rights to paticular things. But this only pertains to applications already on the system. If they need to download something new, then we do it. Of course after making sure that it is a need and not a want. We have a strict IT department but you always have those who are friends with everyone and do things for their buddys. So in the end it is a never ending battle to keep the admin password safe, secret and secure.

user agreement policy

In reply to You have Admins and then you have users.

sounds like you need a strict user agreement policy in place, if most staff have admin rights.

Do what I can.

In reply to user agreement policy

That is exactly right. The only problem is I am consider uhhhh… small at my work. To better explain I am in the military. My rank is SPC and I am surrounded by Majors, CW3’s, and higher ranking enlisted. My ideas are good it is just that they tend to look over lower ranking. But its cool, because when things go to waste then I will be able to shine and say I tried to tell you.

ugh too many people have the admin pass.

In reply to Who Knows the Admin. Passwords in your IT Dept.?

I manage a network for a doctors office so we have tons of medical software. That software is prone…or as I refer to it as pre-programmed to be “bugged” to force companies to pay for support. So we have a global Admin account that the support comapny HAS to have or they wont support us. So they have a VPN connection to us and ultimate control. My boss has the same pass and she is pretty computer illiterate. I worry that I will come in one day and either one will have done something wrong…..

Which admin pass….

In reply to Who Knows the Admin. Passwords in your IT Dept.?

I support about 800 people along with 4 others. The IT department (deskside) has software to blow away the admin pass (local), and we all have the PW (as we set them on the machines when builds are done). But… Only the network guys have domain Admin permissions. This is because, we are not working directly on the domain to troubleshoot, we are working on the local system. So the first answer is best. Restrict and then unrestrict for people who need it. For the domain, only svr teams and networks need this, for more localized support (like deskside), only local admin should be available. For a call center (1st level), they should not need it, a deskside tech should be called if it is needed.

Reply To: Who Knows the Admin. Passwords in your IT Dept.?

In reply to Who Knows the Admin. Passwords in your IT Dept.?

I work for an enterprise of several thousand end-users, probably close to 7k and growing.

The only admin right they have are local admin rights on the machines. All network access is controlled through groups in active directory and at the domain level.

the only people that have the local admin passwords are the 10 people that ever have to setup machines or make any changes that require local admin rights.

Not just a configuration issue

In reply to Who Knows the Admin. Passwords in your IT Dept.?

I keep the admin password limited to only one person, and a secondary – in case I get hit by a bus. The reason for this is not because I’m concerned about someone screwing the configuration of a server up, but more about the number of people who have access to sensitive info.

A Good “Rule of Thumb”

In reply to Who Knows the Admin. Passwords in your IT Dept.?

Generally, a good rule of thumb is to “rename” the administrator account, record it’s password and put that information into a secure area that can be accessed by the appropriate corporate staff in the event of an emergency. Add the correct people to the “Admin” group, either locally or on the network. This is much better and safer than removing all privilidges from the admin account…there are some system calls and apps that use the “admin” login to run correctly.

Reply To: Who Knows the Admin. Passwords in your IT Dept.?

In reply to Who Knows the Admin. Passwords in your IT Dept.?

I think one person must have Administrator password. and other IT memeber must have privledges to working and don’t take more privledges for all IT member.
Administrator is one and one not two or more. it is my idea.

What I have seen…

In reply to Who Knows the Admin. Passwords in your IT Dept.?

I have worked in many IT departments… being a consultant I travel alot and get to see alot of different IT practices… one thing is fairly consistent, it is normal for a handful of IT people to have the passwords. The number will vary depending on the size of the company but it should NEVER be limited to one person. One reason is so that if someone is out sick.. you don’t have to worry about contacting them. But also, you don’t want one person running about logging in for other IT people when they need logged in.

You need to keep in mind, when you hire an IT person, you are also hiring a person you want to TRUST. If you can’t trust them… don’t hire them. Part of an IT person’s job REQUIRES them to get into places that need a password.

* Would you hire a payroll person and not give him/her the confidential salary files he needs to do his/her job?
* Would you hire a security guard and not give him keys?

Same deal. These are necessary tools for an IT person. Think about it.

[Author]

Replies