How do I manage passwords on the built-in administrator account? "Everyone knows that you should set a strong password on the built-in Administrator account..." "It is also critical that you set unique passwords on the built-in Administrator account..." "You might consider using a blank password on the local Administrator account..."
The VP is obviously focusing on the last paragraph and ignoring the preceding
ones and their arguments. That last paragraph stresses a) physical security and
b) one cannot log on over the network with a blank password by default. Thus
this is not a blanket recommendation of using a blank password but rather a
suggestion that this route could be used as long as two criteria are met. The
preceding paragraphs are completely unambiguous in their recommendations while
the last one is only suggesting. All he's doing is making a good case for
executives to focus on what they do best (lead and direct) and allow the people
to whom they have delegated authority to handle the rest of the details.
The author's paragraph on account lockout makes some good points indeed. One
sentence in particular caught my attention: "...because people will always
chose bad passwords no matter what we do." When I was at MS we had a phrase we
used between us: "there are no technological solutions to behavioral problems."
The last section ("People are the weakest link...") attempts to address this.
Overall I would say your VP has hit the high points and is exposing the
behavioral problem of wanting the path of least resistance. The bottom line is
there is no lock so secure that it can completely resist being picked open;
that does not mean one should abandon using locks. Physical security is
paramount; I can crack the password on any Windows account as long as I have
physical access; I run the risk of losing encrypted data tied to that account
but I'll own the machine. To put it another way: breaking into a house or
breaking into a computer both start with physical access; once that is gained
it's all technique and tools. No unauthorized person should ever be able to get
within twenty feet of a server, especially a DC. Workstations are a different
case, of course - with them physical access is a given leaving passwords as the
only defense.
That's just my opinion; I could be wrong.
Daniel Chenault
[email protected]
[Description: Description: cid:[email protected]]
From: Kennedy, Jim [mailto:[email protected]]
Sent: Thursday, June 14, 2012 8:35 AM
To: NT System Admin Issues
Subject: RE: What is your take on this (built-in admin password and account
lockout)
They have a point on the server admin account being blank. Their requirement is
physically secure and deny network logon/access for that account. Considering
you can hit a server physically, F8 it and reboot in safe mode and pop right in
a password does make a password rather pointless....again if you meet their
requirements.
Account lockout off I am not so sure about. Without it how many people would
still be infected with Conflicker and not know it.
From: Christopher Bodnar
[mailto:[email protected]]<mailto:[mailto:[email protected]]>
Sent: Thursday, June 14, 2012 9:06 AM
To: NT System Admin Issues
Subject: What is your take on this (built-in admin password and account lockout)
One of our VP's just ran across this article and is asking for my input:
http://technet.microsoft.com/en-us/library/cc512606.aspx
Which seems to be recommending two things:
Leave the built-in administrator password blank
There is no need for account lockout to be enabled
I disagree with both assumptions. I also find it odd that this is a MS
recommendation. I'd like to hear others thoughts on these comments.
Thanks,
Christopher Bodnar
Enterprise Achitect I, Corporate Office of Technology:Enterprise Architecture
and Engineering Services
Tel 610-807-6459
3900 Burgess Place, Bethlehem, PA 18017
[email protected]<mailto:>
[cid:[email protected]]
The Guardian Life Insurance Company of America
www.guardianlife.com<http://www.guardianlife.com/>
----------------------------------------- This message, and any attachments to
it, may contain information that is privileged, confidential, and exempt from
disclosure under applicable law. If the reader of this message is not the
intended recipient, you are notified that any use, dissemination, distribution,
copying, or communication of this message is strictly prohibited. If you have
received this message in error, please notify the sender immediately by return
e-mail and delete the message and any attachments. Thank you.
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to
[email protected]<mailto:[email protected]>
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to
[email protected]<mailto:[email protected]>
with the body: unsubscribe ntsysadmin
~ Finally, powerful endpoint security that ISN'T a resource hog! ~
~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
---
To manage subscriptions click here:
http://lyris.sunbelt-software.com/read/my_forums/
or send an email to [email protected]
with the body: unsubscribe ntsysadmin<<inline: image002.jpg>>
<<inline: image003.jpg>>
