|
Posted by Eric on June 8, 2009, 9:54 am
Please log in for more thread options
Hello,
we have approx 10 administrators in our company.
We have several domains, several admin and services accounts stored in
a protected file.
Our problem is "What happens if one of the administrators left the
company ?"
As he had access to the protected file containing every passwords, he
could be able to use it after he left the company.
What is your password management policy in this kind of situation ?
Thank you
--
Eric
|
|
Posted by Al Dunbar on June 8, 2009, 8:06 pm
Please log in for more thread options
show/hide quoted text
> Hello,
> we have approx 10 administrators in our company.
> We have several domains, several admin and services accounts stored in a
> protected file.
What do you mean by "a protected file"? Is this a file on a server to which
all 10 admins have access?
show/hide quoted text
> Our problem is "What happens if one of the administrators left the company
> ?"
> As he had access to the protected file containing every passwords, he
> could be able to use it after he left the company.
> What is your password management policy in this kind of situation ?
An interactive, personal admin account password should exist in only two
places - in the actual account itself, and in the memory of the admin
account user. Nobody else has a reason to know the password. The account
should be disabled and/or the password reset when the user leaves.
The only time anyone needs the password of a service account is when the
service is being configured. It needs to be
|
|
Posted by Al Dunbar on June 8, 2009, 8:16 pm
Please log in for more thread options
show/hide quoted text
>> Hello,
>> we have approx 10 administrators in our company.
>> We have several domains, several admin and services accounts stored in a
>> protected file.
> What do you mean by "a protected file"? Is this a file on a server to
> which all 10 admins have access?
>> Our problem is "What happens if one of the administrators left the
>> company ?"
>> As he had access to the protected file containing every passwords, he
>> could be able to use it after he left the company.
>> What is your password management policy in this kind of situation ?
> An interactive, personal admin account password should exist in only two
> places - in the actual account itself, and in the memory of the admin
> account user. Nobody else has a reason to know the password. The account
> should be disabled and/or the password reset when the user leaves.
> The only time anyone needs the password of a service account is when the
> service is being configured. It needs to be
[continued...]
stored for future use in a way that discourages unauthorized use. One way is
in a sealed envelope in a vault under the control of someone other than the
admins.
Of course, you cannot make people actually forget passwords they have known,
so it might not be a bad idea to change all of the service account passwords
when an admin leaves. Of course, it is almost as likely for an admin who is
not leaving to go rogue on you, so this could be overkill.
/Al
|
|
Posted by Eric on June 9, 2009, 7:00 am
Please log in for more thread options Thank you for your answers.
So ok we agree that I need to change the password when one of them
admins left the company (as the file is protected in a network storage
location yes).
now my question is "How can I easily change every passwords documented
when one admin left ?"
There is a big turnover so an automatic process should be better.
I have heard about a solution from Cyber Ark but it's quite expensive.
Thanks for your help.
P.S: I precise I dont have 2008 R2 servers and the ability to modify
easily services password accounts.
show/hide quoted text
>>> Hello,
>>> we have approx 10 administrators in our company.
>>> We have several domains, several admin and services accounts stored in a
>>> protected file.
>> What do you mean by "a protected file"? Is this a file on a server to which
>> all 10 admins have access?
>>> Our problem is "What happens if one of the administrators left the company
>>> ?"
>>> As he had access to the protected file containing every passwords, he
>>> could be able to use it after he left the company.
>>> What is your password management policy in this kind of situation ?
>> An interactive, personal admin account password should exist in only two
>> places - in the actual account itself, and in the memory of the admin
>> account user. Nobody else has a reason to know the password. The account
>> should be disabled and/or the password reset when the user leaves.
>> The only time anyone needs the password of a service account is when the
>> service is being configured. It needs to be
> [continued...]
> stored for future use in a way that discourages unauthorized use. One way is
> in a sealed envelope in a vault under the control of someone other than the
> admins.
> Of course, you cannot make people actually forget passwords they have known,
> so it might not be a bad idea to change all of the service account passwords
> when an admin leaves. Of course, it is almost as likely for an admin who is
> not leaving to go rogue on you, so this could be overkill.
> /Al
--
Eric
|
| Similar Threads | Posted | | Re: Password management policy when an admin left the company ? | June 8, 2009, 10:00 am |
| Re: Password management policy when an admin left the company ? | June 9, 2009, 7:23 am |
| Group Policy - Power Management | September 2, 2008, 6:13 pm |
| Password Management Issue | July 11, 2005, 12:19 pm |
| Simple user/password management? | July 6, 2005, 11:50 am |
| Small company Best Way to allow customers AD logon | August 11, 2006, 12:43 pm |
| GPO - password policy - Urgent | February 2, 2006, 11:34 am |
| Server password age - without a policy | May 7, 2006, 9:33 pm |
| Admin Password | March 9, 2006, 6:15 pm |
| Apply or modify password policy | December 26, 2006, 7:37 pm |
|
XML Sitemap
> we have approx 10 administrators in our company.
> We have several domains, several admin and services accounts stored in a
> protected file.