When I say "more useful work" I put Security very high on the list, if not the top. I just think that the standard "security" stuff isn't always the most bang for the buck. If you keep folks from changing thing on the fly, that's security, it's also stability. If you spend time developing processes and procedures on the "right way TM" to do specific things, you are working on stability. The fewer times folks need to get their fingers dirty with rights, the more secure your environment.
+__________________________________________+ "There are two major products that come out of Berkeley: LSD and [Unix] BSD. We don't believe this to be a coincidence." -Jeremy S. Anderson Kevin M. Flanagan C/S Planning Engineer III IT Systems Implementation Branch Banking & Trust 3261 Atlantic Ave Suite 116 Raleigh, NC 27604 919-716-6209 > -----Original Message----- > From: Wes Owen [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 09, 2002 1:24 PM > To: NT 2000 Discussions > Subject: RE: Use of administrative accounts > > > You can certainly argue both ways. > > For our service accounts no those do not get changed, but > they do not get dial in privs and they have logoff.exe as > their logon script so no one can log in with them, all of > them have randomly generated passwords. Unless needed they > do not have logon locally permissions. > > We are not talking about shared accounts here. > > It's all a matter of hardening a target and where you > prioritize security in relation to other "more useful work." > > -----Original Message----- > From: Flanagan, Kevin [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 09, 2002 12:16 PM > To: NT 2000 Discussions > Subject: RE: Use of administrative accounts > > > I don't believe that special accounts solve anything. I have > never worked anywhere that did that. We all have the rights > that we need and use our own accounts for everything. Shared > accounts are bad, IE Administrator, there's no auditing that > can be done, not realistically anyways. > > I would bet that there are MANY things that you could do in > that arena that would get you bigger payback. IE: When was > the last time that service account passwords were changed? > Most NT4 shops don't ever change them. While they may not be > domain admins, I hope, they are likely to be local admins. > > > This has come up from time to time, I've always been able to > make it go away in favor of more useful work. > > > > > > +__________________________________________+ > "There are two major products that come out of Berkeley: LSD > and [Unix] BSD. We don't believe this to be a coincidence." > -Jeremy S. Anderson > > > Kevin M. Flanagan > C/S Planning Engineer III > IT Systems Implementation > Branch Banking & Trust > 3261 Atlantic Ave Suite 116 > Raleigh, NC 27604 > 919-716-6209 > > > -----Original Message----- > > From: Wes Owen [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, January 09, 2002 11:53 AM > > To: NT 2000 Discussions > > Subject: Use of administrative accounts > > > > > > We are in the process of implementing separate administrative > > accounts for all of our admins as part of a security project > > and trying to put as many "best practices" in place as possible. > > > > Any one else out their doing such a thing? > > > > If so, how did you implement them from a naming perspective. > > We started out adding a ADM designation on each account, but > > doing that really makes them stick out. If someone was to > > get a hold of an account list in some manner I am concerned > > that they may immediately know what accounts to go after. > > > > > > This e-mail and any files transmitted with it are > > confidential and are intended solely for the use of the > > individual or entity to whom they are addressed. If you are > > NOT the intended recipient or the person responsible for > > delivering the e-mail to the intended recipient, be advised > > that you have received this e-mail in error and that any use, > > dissemination, forwarding, printing, or copying of this > > e-mail is strictly prohibited. > > > > > > ------ > > You are subscribed as [EMAIL PROTECTED] > > Archives: http://www.swynk.com/sitesearch/search.asp > > To unsubscribe send a blank email to > [EMAIL PROTECTED] > > > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to [EMAIL PROTECTED] > > ------ > You are subscribed as [EMAIL PROTECTED] > Archives: http://www.swynk.com/sitesearch/search.asp > To unsubscribe send a blank email to [EMAIL PROTECTED] > ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
