[unisog] Admin Password Management

PaulFM paulfm at me.umn.edu
Wed Feb 23 17:56:01 GMT 2005

Here is a suggestion:

On most unix system, you can change the admin password by booting from a cd 
(or the network) and you can do the same with windows (one of those linux 
systemrescue cds - they work slick).  Keeping that in mind, set the 
administrative password on windows machines to a random 128 character string 
that you don't remember (maybe always use one character that is nearly 
impossible to type on a keyboard) - on unix set it to * so root can't log in 
with a password.  In an emergency use one of those CD's to get administrative 
access.  Otherwise for Unix - use ssh keys or sudo, for Windows, use a domain 
administrator account.  Of course you still have to manage the bios passwords 
for the machine (which you would have to do anyway - don't forget to set the 
machine to only boot from the hard-drive).

Note: also set up the security policy so local adminstrators don't have 
access to the machine via the network, nor through the remote desktop (and 
disable the run-as service).

Marc Wallman wrote:

> On Tue, 22 Feb 2005, Chris Green wrote:
>> How do people ensure that admin passwords stay up to date, especially as
>> part of restoration procedures?  The popular method here has been to 
>> have a
>> text file per group delivered to a safe with Director level access.  
>> The big
>> problem with this is auditing the passwords and ensuring that everyone
>> coughs up the goods each round of change.
>> http://www.e-dmzsecurity.com/par.html seems like an interesting idea.  
>> Not
>> sure I'd trust a new webapp enough to perform this function.
>> Does anyone have solutions in place other than a cron job reminder to
>> administrators? :)
> We use GNU Privacy Guard to encrypt text files with admin
> passwords. The files are encrypted with the public of keys of
> only those system administrators who need access. We keep one file
> per host. The file contains passwords for both system accounts and
> accounts within applications (e.g. databases). We have developed
> some scripts to make it easy to encrypt/decrypt these files with
> all the necessary keys. I can provide more information if people are
> interested.
> Our policies state that sysadmins need to updated these files
> whenever a password changes. I follow up on this during weekly
> meetings to be sure that any maintenance that involves a password
> change results in these files getting updated.

The views and opinions expressed above are strictly
those of the author(s).  The content of this message has
not been reviewed nor approved by any entity whatsoever.
Paul F. Markfort   Info/Web: http://www.menet.umn.edu/~paulfm

More information about the unisog mailing list