[unisog] Password vaulting

Gary Dobbins dobbins at nd.edu
Tue Feb 19 16:53:43 GMT 2008


Yes.  We instituted a very low-tech solution.  Root passwords are kept
in sealed envelopes in the operations-area safe.  When an engineer or
other authorized person needs it, they sign for it and tear the envelope
open.  That triggers a change and re-seal procedure so the envelope and
password are new for the next time.

Nice thing is this works even when automated systems may be ailing, and
human judgment is involved if there's ever an extenuating circumstance
regarding who can have an envelope.


> -----Original Message-----
> From: unisog-bounces at lists.dshield.org [mailto:unisog-
> bounces at lists.dshield.org] On Behalf Of Trevor Odonnal
> Sent: Tuesday, February 19, 2008 11:04 AM
> To: UNIversity Security Operations Group
> Subject: [unisog] Password vaulting
> 
> Hi all.  I have been asked by management to do some asking around
> to see if anybody out there is currently using any sort of
> "password vault" solution to manage administrative privileges to
> secure systems.
> 
> For those who may not be familiar with this term, a password vault
> is a system that vaults administrator or root passwords in either a
> physical vault, or electronic secure storage.  When an individual
> needs root or admin access to a secure system, he or she must have
> a valid work order or change control number to request the access.
> The password is removed from the vault and provided to the
> individual for a specific amount of time.  At the end of this time
> period, the password is changed and re-vaulted.
> 
> The obvious question is "Why not just assign admin or root
> authority to the user's account?"  That is the usual procedure.
> However, there are times when engineers need full root access to a
> system to perform their duties, or emergencies arrive when the
> privileges are needed right away.
> 
> So, is anybody using a system like this?  If so, what are you doing
> and how well is it working?  What kinds of political issues have
> you had to deal with?  Thanks in advance!
> 
> Trevor O'Donnal CISSP, CCFS, GREM
> Network Security Analyst
> Brigham Young University
> (801) 422-1477
> trevoro at byu.edu
> 
> _______________________________________________
> unisog mailing list
> unisog at lists.dshield.org
> https://lists.sans.org/mailman/listinfo/unisog



More information about the unisog mailing list