Tuesday, November 25, 2008

Simple but dreadful, part 3 - Workstation local administrator

The logic behind risk management makes almost all companies to focus on protecting their servers instead of spending time on the workstations. Although it seems to make sense, it is important to note that people access, generate and input information on sensitive applications and servers mostly through their workstations. Owning the workstations of an organization can be as bad as owning its servers.One of the easiest ways to do that is to identify how the organization deals with the local administrator account of the workstations. Setting a password for the local admin account seems to be a easy thing to do, bu when you have thousands of workstations it can really become a nightmare. Some companies try to set a single strong password for all workstations, but that means if this password is compromised the keys to the whole kingdom are lost. You may think that using a very strong password can avoid problems from offline cracking (together with disabling LanMan password, etc - I assume you know the basics about Windows passwords), but remember that if a single guy from IT support (the guys who know that password) is fired or discloses the password to someone out of the entitled circle, you will have to change it on ALL workstations. Now, if you can do that (yes, there are lots of companies that are not even prepared to do that), it would be a good idea to start thinking about using a different password for each workstation. You may think I'm crazy, but there are tools that allow you to do that in a pretty decent (and secure) way, from a central location and with a lot of controls over who access those passwords.Also remember that if you properly manage permissions on those workstations you will most likely never use that password. You will have a group of the administrators as part of the "local admin" group for each box, meaning that they won't need the admin account to do anything there, giving you the bonus of better accountability.Some things to avoid when defining your strategy to manage workstations local admin passwords:

  • Logon scripts with clear text passwords (noooo!!!!!!!!!!)

  • Scripts from SMS or other central management tool with clear text passwords (believe me, the users will found that!)

  • That-same-very-secret-password-that-only-those-ten-guys-know-about-for-all-boxes mistake (yes, I mentioned that before. Just in case)

  • Different passwords generate by a "security by obscurity" algorithm that uses the name of the workstation as input. Hey, if it's a bad idea on encryption why would it be a good idea for passwords?

No comments:

Post a Comment