|
 microsoft.public.windows.server.security - Supporting MS Windows network? Read here before it's too late!
|
|
If you were Registered and logged in, you could reply and use other advanced thread options
|
Posted by Eric on June 8, 2009, 9:54 am
Hello,
we have approx 10 administrators in our company.
We have several domains, several admin and services accounts stored in
a protected file.
Our problem is "What happens if one of the administrators left the
company ?"
As he had access to the protected file containing every passwords, he
could be able to use it after he left the company.
What is your password management policy in this kind of situation ?
Thank you
--
Eric
|
|
Posted by Al Dunbar on June 8, 2009, 8:06 pm
> Hello,
> we have approx 10 administrators in our company.
> We have several domains, several admin and services accounts stored in a
> protected file.
What do you mean by "a protected file"? Is this a file on a server to which
all 10 admins have access?
> Our problem is "What happens if one of the administrators left the company
> ?"
> As he had access to the protected file containing every passwords, he
> could be able to use it after he left the company.
> What is your password management policy in this kind of situation ?
An interactive, personal admin account password should exist in only two
places - in the actual account itself, and in the memory of the admin
account user. Nobody else has a reason to know the password. The account
should be disabled and/or the password reset when the user leaves.
The only time anyone needs the password of a service account is when the
service is being configured. It needs to be
|
|
Posted by Al Dunbar on June 8, 2009, 8:16 pm
>> Hello,
>> we have approx 10 administrators in our company.
>> We have several domains, several admin and services accounts stored in a
>> protected file.
> What do you mean by "a protected file"? Is this a file on a server to
> which all 10 admins have access?
>> Our problem is "What happens if one of the administrators left the
>> company ?"
>> As he had access to the protected file containing every passwords, he
>> could be able to use it after he left the company.
>> What is your password management policy in this kind of situation ?
> An interactive, personal admin account password should exist in only two
> places - in the actual account itself, and in the memory of the admin
> account user. Nobody else has a reason to know the password. The account
> should be disabled and/or the password reset when the user leaves.
> The only time anyone needs the password of a service account is when the
> service is being configured. It needs to be
[continued...]
stored for future use in a way that discourages unauthorized use. One way is
in a sealed envelope in a vault under the control of someone other than the
admins.
Of course, you cannot make people actually forget passwords they have known,
so it might not be a bad idea to change all of the service account passwords
when an admin leaves. Of course, it is almost as likely for an admin who is
not leaving to go rogue on you, so this could be overkill.
/Al
|
|
Posted by Eric on June 9, 2009, 7:00 am
Thank you for your answers.
So ok we agree that I need to change the password when one of them
admins left the company (as the file is protected in a network storage
location yes).
now my question is "How can I easily change every passwords documented
when one admin left ?"
There is a big turnover so an automatic process should be better.
I have heard about a solution from Cyber Ark but it's quite expensive.
Thanks for your help.
P.S: I precise I dont have 2008 R2 servers and the ability to modify
easily services password accounts.
>>> Hello,
>>> we have approx 10 administrators in our company.
>>> We have several domains, several admin and services accounts stored in a
>>> protected file.
>> What do you mean by "a protected file"? Is this a file on a server to which
>> all 10 admins have access?
>>> Our problem is "What happens if one of the administrators left the company
>>> ?"
>>> As he had access to the protected file containing every passwords, he
>>> could be able to use it after he left the company.
>>> What is your password management policy in this kind of situation ?
>> An interactive, personal admin account password should exist in only two
>> places - in the actual account itself, and in the memory of the admin
>> account user. Nobody else has a reason to know the password. The account
>> should be disabled and/or the password reset when the user leaves.
>> The only time anyone needs the password of a service account is when the
>> service is being configured. It needs to be
> [continued...]
> stored for future use in a way that discourages unauthorized use. One way is
> in a sealed envelope in a vault under the control of someone other than the
> admins.
> Of course, you cannot make people actually forget passwords they have known,
> so it might not be a bad idea to change all of the service account passwords
> when an admin leaves. Of course, it is almost as likely for an admin who is
> not leaving to go rogue on you, so this could be overkill.
> /Al
--
Eric
|
This Thread
If you were Registered and logged in, you could reply and use other advanced thread options
Related Posts
Latest Posts
|
|
XML Sitemap
Yahoo! 
Google 
Windows Live 
del.icio.us 
digg 
Netscape 
> we have approx 10 administrators in our company.
> We have several domains, several admin and services accounts stored in a
> protected file.