True, Simon and I have been known to disagree from time to time. Sometimes we even agree! Of course administrators can have their own accounts on all PC's, if a company allows such in their policy. But if the hired help from IT support needs to eg. add some hardware to a machine (and test it) I would not like to give him an administrator password, if the owner of the machine happens to be out of the office (rarely happens with laptops). I'd allow him one time access using C/R. It all depends on the security needs. Administrator passwords used for day-to-day IT support have a habit of becoming shared passwords, by the way, if companies don't have their procedures straight... ________________________________
Van: SafeBoot Simon [mailto:[EMAIL PROTECTED] Verzonden: di 21-8-2007 14:55 Aan: [email protected] Onderwerp: Re: [FDE] IT support accounts on FDE secured computers I disagree with John (it's not uncommon for John and I to have different opinions as we've approached FDE from different but mostly equally valid angles for many years. John works for Utimaco, I work for SafeBoot). In my experience most admin one time overrides are handled by the admin simply having their own account. One-time access, C/R etc is usually only required when: 1. The admin doesn't have an account on the machine 2. The FDE solution doesn't have the capability to support enough users in the pre-boot environment. If you imagine a product which for example only supports 10 or so pre- boot users, you can see that having a general shared key override is necessary. Luckily most vendors seem to be moving away from this limited style environment. I particularly hate the idea of shared keys/passwords - it reminds me too much of common BIOS passwords which within days, everyone from the cleaner up seems to know. On Aug 20, 3:27 pm, "john.veldhuis" <[EMAIL PROTECTED]> wrote: > Hi Saqib, > > There are several ways of doing this, ranging from logon tokens for IT staff, > via C/R to allow a technician one-time access to a drive, to seflhelp > websites/voice recognition systems. In my experience, the C/R is most used. > > Regards, > John > > ________________________________ > > Van: Ali, Saqib [mailto:[EMAIL PROTECTED] > Verzonden: vr 17-8-2007 17:09 > Aan: [EMAIL PROTECTED] > Onderwerp: [FDE] IT support accounts on FDE secured computers > > As it turns out, deploying FDE to users is not the most complex task - > providing day-2-day IT support is. > > My cousin works for a medium sized financial institution which > recently deployed FDE. Providing day-to-day IT support to the users is > becoming a hassle. Every time the IT support person has to work on > laptop the owner must be present to enter their credentials into the > pre-boot authentication. > > Can anyone give me some real-word examples of how other institutions > have tackled this issue? How do they the allow the IT support person > to work on the laptop if the user is not present and laptop is > turn-off? > > saqibhttp://www.linkedin.com/in/encryption > > _______________________________________________ > FDE mailing list > [EMAIL PROTECTED]://www.xml-dev.com/mailman/listinfo/fde _______________________________________________ FDE mailing list [email protected] http://www.xml-dev.com/mailman/listinfo/fde
