Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Security Manager's Journal: Rights can be so wrong

J.F. Rice | April 3, 2013
Windows service accounts used by software are often given domain administrator rights, just because it's quick and easy. That sort of thing rubs security managers the wrong way.

Accounts run amok

Built-in administrator accounts are another target of my attention. These accounts, with full privileges on individual servers and workstations, exist by default on every Windows computer. And in my company, the passwords are all the same and haven't been changed in a long time. That means we have many former support staffers who still know our administrator password. There's no easy way to change so many passwords, and since they're used for support, a lot of people need them.

Ideally, we would set a different password on every system, but without some kind of password management system, there's no way that would work.

What we have done is that one of our Windows administrators set up a group policy to change the name of the administrator account, which makes it slightly less easy to break into. And he was able to find a way to change the password as well, so that's a step in the right direction.

It's not good enough yet, though. We need a way to change the built-in administrator account password more frequently and still be able to give our support staff the access they need to perform administration tasks on servers and end-user computers. For now, I'll establish a manual process to change the password the way our Windows administrator did, and enforce it in security policy. But I'd really like to find a better way to manage Windows credentials. They don't make it easy.

 

Previous Page  1  2 

Sign up for CIO Asia eNewsletters.