And this is one of the big reasons why Windows 7 Enterprise, coupled with Win2k8 UAG, is so interesting to me...
On Thu, May 6, 2010 at 05:31, ITSec Lists <[email protected]> wrote: > Sounds good, but may become a password management nightmare. Assigning a > password for a person before they leave for a trip and remembering to reset > it upon return. Also, everyone being an admin is what we are trying to > avoid. > > On Wed, May 5, 2010 at 5:27 PM, Charlie Kaiser <[email protected]> > wrote: >> >> Our MO at my last larger multi-site client was to have individual >> accounts, >> one for each PC. That way there was no compromise of any other machine if >> one pw was passed around. >> I used Steve Riley's Passgen tool to create and retrieve strong pws. Some >> scripting allowed me to change the local account on each machine as long >> as >> I had connectivity to it. >> >> Here's a link to some info about the tool... >> >> >> http://blogs.technet.com/steriley/archive/2008/09/29/passgen-tool-from-my-bo >> ok.aspx >> >> >> I don't know how this will play with >vista; the remote connectivity might >> be problematic for the scripting part, but even if it's never scripted, >> the >> ability to set and retrieve strong local pws is significant. It allows you >> to create a pw, use it, change it, and still be able to retrieve it >> easily. >> Worth a look... >> >> *********************** >> Charlie Kaiser >> [email protected] >> Kingman, AZ >> *********************** >> >> > -----Original Message----- >> > From: ITSec Lists [mailto:[email protected]] >> > Sent: Wednesday, May 05, 2010 1:13 PM >> > To: NT System Admin Issues >> > Subject: Kind of OT: Generic Accounts >> > >> > This is more of a discussion kind of question to seek >> > possible solutions to an old problem that almost everyone >> > with multiple sites gets affected with. >> > >> > There are several locations and all locations have AD >> > implemented, using a single image everywhere. With every >> > location having a local IT person, we could have a backdoor >> > local account on the image and share the password with the >> > local IT, but gradually, the password would get known by >> > almost everyone (friend of a friend of a friend...etc) We >> > could have the local IT guy be admins in their environment >> > and log on to any local machine with their own credentials. >> > The problem arises when some senior person is in a different >> > country and needs to install something. They could go to the >> > local office, but what about after hours. etc etc >> > >> > I am sure there are several options to tackle this issue, and >> > I wanted to get an opinion on what people do for this issue. >> > >> > Hypothetically, could there be an option to create a USB of >> > some sort that is non shareable (Uses the laptop's Hard disk >> > serial number) that could be given to travellers for use in >> > emergencies to gain admin access only on that particular >> > machine. Obviously, it is not a fool-proof method due to the >> > several what ifs (loss of USB, creating an additional admin >> > account with the admin access, etc) but does something exist? >> > >> > Thanks >> > ~ Finally, powerful endpoint security that ISN'T a resource >> > hog! ~ ~ >> > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >> >> ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ >> ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~
