[unisog] Admin Password Management

PaulFM paulfm at me.umn.edu
Wed Feb 23 17:56:01 GMT 2005


Here is a suggestion:

On most unix system, you can change the admin password by booting from a cd 
(or the network) and you can do the same with windows (one of those linux 
systemrescue cds - they work slick).  Keeping that in mind, set the 
administrative password on windows machines to a random 128 character string 
that you don't remember (maybe always use one character that is nearly 
impossible to type on a keyboard) - on unix set it to * so root can't log in 
with a password.  In an emergency use one of those CD's to get administrative 
access.  Otherwise for Unix - use ssh keys or sudo, for Windows, use a domain 
administrator account.  Of course you still have to manage the bios passwords 
for the machine (which you would have to do anyway - don't forget to set the 
machine to only boot from the hard-drive).

Note: also set up the security policy so local adminstrators don't have 
access to the machine via the network, nor through the remote desktop (and 
disable the run-as service).






Marc Wallman wrote:

> On Tue, 22 Feb 2005, Chris Green wrote:
> 
>> How do people ensure that admin passwords stay up to date, especially as
>> part of restoration procedures?  The popular method here has been to 
>> have a
>> text file per group delivered to a safe with Director level access.  
>> The big
>> problem with this is auditing the passwords and ensuring that everyone
>> coughs up the goods each round of change.
>>
>> http://www.e-dmzsecurity.com/par.html seems like an interesting idea.  
>> Not
>> sure I'd trust a new webapp enough to perform this function.
>>
>> Does anyone have solutions in place other than a cron job reminder to
>> administrators? :)
> 
> 
> We use GNU Privacy Guard to encrypt text files with admin
> passwords. The files are encrypted with the public of keys of
> only those system administrators who need access. We keep one file
> per host. The file contains passwords for both system accounts and
> accounts within applications (e.g. databases). We have developed
> some scripts to make it easy to encrypt/decrypt these files with
> all the necessary keys. I can provide more information if people are
> interested.
> 
> Our policies state that sysadmins need to updated these files
> whenever a password changes. I follow up on this during weekly
> meetings to be sure that any maintenance that involves a password
> change results in these files getting updated.

-- 
---------------------------------------------------------------------
The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
---------------------------------------------------------------------
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm
---------------------------------------------------------------------



More information about the unisog mailing list