LAN Security

pts.
Tags:
Security
My boss and other managers keep asking me to give them the administrator password so they can install software etc. I told them that they can install software logged onto their local machine, but that is not good enough for them. My boss just logs on to the administrator account whenever he wants. He had a corrupt profile, I gave him a new profile and his Palm app won't let him use it logged on as himself. I asked him to allow me to reinstall his palm software, but he won't let me. What standard policy suggestions can I use to plead my case for the administrator account. Windows 2000 NOS, XP/WIN2000 WOS, LNotes Domino Server, Internet, etc.

Answer Wiki

Thanks. We'll let you know when a new response is added.

Microsoft recently posted an interesting guide on least privilege to user accounts – it has some good points and guidelines in it – you can find it here:

http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/luawinxp.mspx

It may help you to justify your stand to management and to help them to understand why you want accounts limited.

Lirria

Discuss This Question: 7  Replies

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when members answer or reply to this question.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
  • ItDefPat1
    First lesson about THE Administrator account - never use - it should be only used as a last resort. Also, since this could be utilized by a number of personnel, auditing is limited in that respect. Administrator-level accounts should only be used for managing the enterprise. There should be a lot of links at MS that bear this point. In any reasonably secure environment, admin-type accounts might NOT have access to web and email. This prevents contamination (viruses, worms, etc.). Apply this equally to all (even yourself). To get email and web, etc., login/switch user to personal account. Setting a good example will probably rack up more than a few points with management. Also, it is recommended that admin-type accounts have stronger authentication. Best scenario is two-factor authentication. At least force admin-type to minimum 14 characters (that should scare away any wanabees anyways). And yes, passwords that long can be easily remembered (but don't tell PointyHairBoss). These are realistic recommendations and much of this is on MS and probably on searchsecurity also. Most need to manage apps can be accomplished by the PowerUser account type. If you can convince the PHB that PowerUser is an "admin", then that might be a good compromise. Otherwise, turn on a lot of auditing for any wanabee using an admin account. If they screw up your world, you at least will have a good audit trail.
    15 pointsBadges:
    report
  • Magister99
    I've already read last response on administrator rights, you would achieve your goal w' the following ops - One possible way is to make a name interchange between a Power User Account and the Administrator Account (both name and password). I've tried on my local Windows XP and would works fine for you. Also, it would probably(would depends on OS version) couldn't be done due OS restrictions. Don't forget to tell anything to your boss ;) Kind Regards.
    0 pointsBadges:
    report
  • Solutions1
    Can you describe and perhaps quantify for the relevant decisionmakers the risks that your managers are creating for themselves, for each other and for their own managers? For example, admin rights not only have implications for software corruption and increased enterprise down time, but for violations in terms of data access, data protection, and data manipulation. If an incident causes an email server not to get backed up one night, perhaps legally significant archives are not built. In these and other contexts, chances are your company has made some policy commitments either internally or externally (SARBOX, etc.) that either say or imply that your IT management processes are under control. Not having the IT environment under control can creates some career-limiting risks, all for the sake of a trivial level of convenience.
    0 pointsBadges:
    report
  • RichardGCISSP
    Segregation of duties is required by all regulations governing most businesses. The exceptions come if you are a small 'owner operated' business that doesn't engage in online commerce. In all other cases there are Federal, State, and Local regulations requiring that customer and financial is protected. As I mentioned above, one key protection comes under the category of 'segregation of duties'. In its simplest form this means that only authorized technology personnel manage the computer systems and the network, only authorized individuals from the financial department have access to the accounting numbers, only authorized Marketing people have access to personal customer information.... etc. By doing things this way, the company minimizes its liability in cases of external audits which can come from the IRS, the State, the SEC and now (thanks to Sarbannes Oxeley and other post Enron Legislation) include both Financial audits as well as Information Security (IS) audits. In otherwords it isn't sufficient to prove you filed your financial statements correctly, you now have to prove that the nobody fiddled the numbers before the accountants ever saw them.... and that you are doing everything reasonably possible to make sure identity thieves aren't making off with your customer's personally identifiable information (PII)... The fines are pretty hefty so it makes sense just to follow the accepted guidelines... (ISO 17799, CoSo, and CobiT are among the most popular and useful guidelines out there for companies that need to stay compliant with the different regulations) I hope this helped Richard Gomes, CISSP, CISA
    0 pointsBadges:
    report
  • ItDefPat1
    the above response (Richard) expands upon my first comment: is the palm only managing calendar or is the intent to synchronize corporate client lists or corporate data (most Palms can function like portable drives)? Separation of duties and the corresponding delegation of persmissions is critical.
    15 pointsBadges:
    report
  • TomLiotta
    I resigned two previous positions mostly because of bosses taking such actions. You don't say what your title is nor do you give any indication of your official job description. We don't know if you're salaried or hourly or anything else. The point is that we don't know what you are legally _required_ to do. Bear in mind that if your position has _legal_ responsibilities, you d*mn well better be CYAing here. I strongly suggest that you get a clear statement of your responsibilities from HR and then work according to those responsibilities. For example, you might request a written memo from any superior who asks for Admin access. Get it in writing and keep it. If you're essentially a basic staff member, it might not be important. But if you're a salaried employee and your responsibilities include maintenance of security, then you have the right and the obligation to ask for a written record. Make sure HR knows if you can't get one. Hey, we are burdened under regulations such as SOX, etc., but we are also protected as long as _we_ follow the rules. Keep records.
    125,585 pointsBadges:
    report
  • ItDefPat1
    Getting it in writing... Another novel idea - System use policies. There should be multiple levels of policy - overall system guidance, definitions of roles and appropriate use. Some of this might be corporate or HR, some could be written by system group and some by information security group. Different organizations of different types and sizes allocate this differently. Before you (YOU) can do something (or anything)there should be standards, policies and/or guidances. RULES. If they aren't following the rules, then check what rules you are supposed to follow. If the guidances for your position say "DON'T" and the boss says "DO", then go to higher authority for guidance - upper management, HR, etc. If there aren't any policies, then you have bigger problems....
    15 pointsBadges:
    report

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to:

To follow this tag...

There was an error processing your information. Please try again later.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Thanks! We'll email you when relevant content is added and updated.

Following