[unisog] End User Passwords and Technical Support Issues

Jim Dillon jim.dillon at cusys.edu
Tue Jan 15 18:15:01 GMT 2002

At 05:28 PM 01/14/2002 -0600, you wrote:
>Our University's Computing Acceptable Use Policies state that computer
>accounts, passwords and other authorization codes should not be shared with
>others.  Do other university's have similar statements in their Information
>Systems Acceptable Use Policies?

They do in some places now.  I'd like to see it universal.

>Our administrative network is locked down using Windows NT. The technical
>staff states that they must have the end users password in order to
>troubleshoot, diagnosis and/or setup new machines.  How do you manage the
>technical staff's need without violating the acceptable use policy of
>"sharing passwords"?

Absolutely under no circumstances should any staff member ever be 
encouraged to provide or ask for the password of another.  To do so causes 
the following:

1. A breakdown in the system of accountability
2. Insight into the user's practices
3. A degradation of the system of control and security
4. A statement/declaration that security is not a paramount concern.

If for some circumstantial reason you must assume the identity of the user 
to complete a test or diagnosis, do it through resetting (have the user 
reset) the password temporarily, a step that can create a log record of the 
event, and properly document the responsibility for events to follow.  The 
user is now not implicated falsely for the follow-on actions, and the 
user's privacy and encouragement to follow secure practices are reinforced. 
Of course, require the user to reset the password to a private, secure 
string/phrase after the service or test is complete.

Other suggestions were already made by others, such as having the user 
login for the technician, group membership rights, etc.  An unimpeachable 
trail for accountability is a key goal of authentication.  It not only 
protects the user but it protects the IT staff from false 
accusations.  Achieving a pure, proven "unimpeachable" environment is 
pretty difficult, but allowing identity adoption by anyone is a clear 
destructor of that goal.

Best regards,

Jim Dillon

Jim Dillon, CISA
IT Audit Manager
jim.dillon at cusys.edu
Phone: 303-492-9734
Dept. Phone: 303-492-9730
Fax: 303-492-9737

More information about the unisog mailing list