For the "credential compartmentalization" I would say it doesn't apply well to local windows account. The credential compartmentalization would be the opposite of single-sign-on, the concept would be to have different account and passwords for systems with different very purposes and very different risk profiles. So for example firewall administrative accounts should NOT be same the regular user account or email accounts.
-- Ralph Durkee, CISSP, GSEC, GCIH, GSNA, GCIA, GPEN Principal Security Consultant On 5/20/2011 4:39 PM, craig bowser wrote: > BTW, WTH is "credential compartmentalization"???? > > o_O > > Craig L Bowser > ____________________________ > > This email is measured by size. Bits and bytes may have settled > during transport. > > > > On Fri, May 20, 2011 at 4:39 PM, craig bowser <[email protected] > <mailto:[email protected]>> wrote: > > make sure they are not in the local admin group. > > > Craig L Bowser > ____________________________ > > This email is measured by size. Bits and bytes may have settled > during transport. > > > > On Fri, May 20, 2011 at 2:06 PM, Matthew Perry <[email protected] > <mailto:[email protected]>> wrote: > > "personal preference and credential compartmentalization" was the > answer I got. My issue is getting management to back me right > now. > Also is there a group policy setting to keep users from > creating local > accounts? > > On Friday, May 20, 2011, Joel Esler <[email protected] > <mailto:[email protected]>> wrote: > > Ask them why. Then report back. Most likely they don't > need what they are asking. > > > > On May 20, 2011, at 1:24 PM, Matthew Perry wrote: > > > >> I have a few users who insist that they need a local > account on their domain laptops. I am trying to explain to > them that their password will cache and allow them to login > while not on the network. It also looks like local accounts > bypass a lot of our group policy rules that we have put in > place and I do not want to have to manage local policies as > well. Can anyone give me some more good reasons why it is bad > to use a local account instead of a domain account. > >> > >> Thanks! > >> > >> -- > >> Matthew Perry > >> _______________________________________________ > >> Pauldotcom mailing list > >> [email protected] > <mailto:[email protected]> > >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> Main Web Site: http://pauldotcom.com > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > <mailto:[email protected]> > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > > -- > Matthew Perry > _______________________________________________ > Pauldotcom mailing list > [email protected] > <mailto:[email protected]> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
