I agree. Blanket Admin Rights should be avoided.
Having said that, I will admit to flaunting my own rule on occasion. ============================================================== ASB - http://www.ultratech-llc.com/KB/?File=~MoreInfo.TXT ============================================================== Automation Leads To Relaxation... -----Original Message----- From: Wes Owen [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 09, 2002 1:54 PM To: NT 2000 Discussions Subject: RE: Use of administrative accounts Ok, but the fewer times they need admin rights, the less impact implementing admin rights have and therefore the higher the return. -----Original Message----- From: Flanagan, Kevin [mailto:[EMAIL PROTECTED]] Sent: Wednesday, January 09, 2002 12:48 PM To: NT 2000 Discussions Subject: RE: Use of administrative accounts When I say "more useful work" I put Security very high on the list, if not the top. I just think that the standard "security" stuff isn't always the most bang for the buck. If you keep folks from changing thing on the fly, that's security, it's also stability. If you spend time developing processes and procedures on the "right way TM" to do specific things, you are working on stability. The fewer times folks need to get their fingers dirty with rights, the more secure your environment. +__________________________________________+ "There are two major products that come out of Berkeley: LSD and [Unix] BSD. We don't believe this to be a coincidence." -Jeremy S. Anderson Kevin M. Flanagan C/S Planning Engineer III IT Systems Implementation Branch Banking & Trust 3261 Atlantic Ave Suite 116 Raleigh, NC 27604 919-716-6209 > -----Original Message----- > From: Wes Owen [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 09, 2002 1:24 PM > To: NT 2000 Discussions > Subject: RE: Use of administrative accounts > > > You can certainly argue both ways. > > For our service accounts no those do not get changed, but > they do not get dial in privs and they have logoff.exe as > their logon script so no one can log in with them, all of > them have randomly generated passwords. Unless needed they > do not have logon locally permissions. > > We are not talking about shared accounts here. > > It's all a matter of hardening a target and where you > prioritize security in relation to other "more useful work." > > -----Original Message----- > From: Flanagan, Kevin [mailto:[EMAIL PROTECTED]] > Sent: Wednesday, January 09, 2002 12:16 PM > To: NT 2000 Discussions > Subject: RE: Use of administrative accounts > > > I don't believe that special accounts solve anything. I have > never worked anywhere that did that. We all have the rights > that we need and use our own accounts for everything. Shared > accounts are bad, IE Administrator, there's no auditing that > can be done, not realistically anyways. > > I would bet that there are MANY things that you could do in > that arena that would get you bigger payback. IE: When was > the last time that service account passwords were changed? > Most NT4 shops don't ever change them. While they may not be > domain admins, I hope, they are likely to be local admins. > > > This has come up from time to time, I've always been able to > make it go away in favor of more useful work. > > > > > > +__________________________________________+ > "There are two major products that come out of Berkeley: LSD > and [Unix] BSD. We don't believe this to be a coincidence." > -Jeremy S. Anderson > > > Kevin M. Flanagan > C/S Planning Engineer III > IT Systems Implementation > Branch Banking & Trust > 3261 Atlantic Ave Suite 116 > Raleigh, NC 27604 > 919-716-6209 > > > -----Original Message----- > > From: Wes Owen [mailto:[EMAIL PROTECTED]] > > Sent: Wednesday, January 09, 2002 11:53 AM > > To: NT 2000 Discussions > > Subject: Use of administrative accounts > > > > > > We are in the process of implementing separate administrative > > accounts for all of our admins as part of a security project > > and trying to put as many "best practices" in place as possible. > > > > Any one else out their doing such a thing? > > > > If so, how did you implement them from a naming perspective. > > We started out adding a ADM designation on each account, but > > doing that really makes them stick out. If someone was to > > get a hold of an account list in some manner I am concerned > > that they may immediately know what accounts to go after. ------ You are subscribed as [email protected] Archives: http://www.swynk.com/sitesearch/search.asp To unsubscribe send a blank email to [EMAIL PROTECTED]
