... as I go click on your web site to figure out your company and if
it's SBSized :-) Remember my space... managed services and var/vaps.
[EMAIL PROTECTED] wrote:
Susan,
Your point about lots of admins coming and going, with transient
access to hundreds or thousands of machines, is an important and
separate one from the multiple password policies question that this
thread started out with.
I think trying to revoke all the admin creds that a given person had
access to in the last N days (N could be very large) is a hard problem,
and may be unnecessary. If you change all those admin passwords
frequently (e.g., every 24 hrs), then you can rest assured that the
person who just left the org won't have access to anything sensitive
tomorrow. That's good enough in most cases.
Of course, changing every admin cred every 24 hours creates a completely
new problem: how do you do that, in a manner that still makes the admin
creds reliably accessible to the people who need them, and only the
people
who need them, only when they need them, and (heck, while we're at it)
with an audit log that shows which person looked up which cred.
Problems like this usually cause products to be written. E-mail me if
you want to get the advertising pitch for our particular solution. :-)
L8r,
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.activedir.org/ml/threads.aspx
