Local administrator password policies.

[TrailerParkJawa]

For those of you who work with Windows networks, I would like your thoughts on how you seen, or how you think the local administrator account on each machine should be handled.

What Ive seen can be summed up as.

1. The local administrator account has no password. This is a big risk if you ever have a savy, disgruntled employee.

2. The local administrator password is the same as the domain administrator password the day the computer/image was created. This creates problems when current passwords are changed.

3. Local passwords are something different from the domain admin, but every machine has the same password and it eventually gets out.
Better than nothing, but not good for protecting from insiders.

4. Local password is unique to every machine. Only IT staff knows it, unless the user needs to know then they are informed. Very safe, but places extra burden on IT staff.


So, what do you think? How you handle them at your company?

[LadyTevar]

Passwords to access the local shared drive changes every 35 days, and are unique to each user.

Passwords to the local mail server never change once the user sets up their account.

IT Admin are the only ones able to add/remove programs, and in some cases, to set the clock, defrag the hard drive, etc. Gotta love Win2000

[Darth Wong]

Local admin password the same on all machines but different from the domain password. The worst someone can do with a local admin login is fuck up his own machine, which doesn't mean shit to a typical admin since he'll just use Ghost to re-image it anyway.

Making the local admin password the same as the domain admin password would be a terrible idea. And making it different on each machine would just add a lot of headaches without much discernible security benefit. Who cares if a guy fucks up his own machine? Even if he gets a virus, the worst he can do is fuck up his own files on the server (assuming the permissions are set up properly on the server so he can't run around overwriting other peoples' files), and if that happens, I say it serves him right

[Alyeska]

Locking out the clock is one of the worst things to do in technical support companies. Some programs run off servers in the same time zone and if the computer clock does not match the time on the server within a certain number of minutes, you can not access ANY of your tools. The fucking IT idiots at my former job locked out the clock and it was not unheard of for some people to be suddenly locked out of the system while in the middle of a call with a customer.

[Darth Wong]

Locking out the clock is one of the worst things to do in technical support companies. Some programs run off servers in the same time zone and if the computer clock does not match the time on the server within a certain number of minutes, you can not access ANY of your tools. The fucking IT idiots at my former job locked out the clock and it was not unheard of for some people to be suddenly locked out of the system while in the middle of a call with a customer.

You don't need to open up the clock to the end-user in order to solve that problem. Simply set up an AT job which periodically runs the command "net time \\server /set /yes", where "server" is the name of your domain server, and it will periodically synchronize your computer's RTC with the domain server. Set this up on every machine by way of the Ghost image, and clock synchronization problems will be a thing of the past.

[BrYaN19kc]

For those of you who work with Windows networks, I would like your thoughts on how you seen, or how you think the local administrator account on each machine should be handled.

Each of our computer labs (7) have 15 machines each. In each lab the machine administrators account has the same first four alpha/numeric symbols followed by another four different alpha/numeric symbols.

This is also the system for machines throughout campus and in admin offices. Actually it's a great system and not very confusing at all.

As far as domain passwords, there are three domain admin passwords, my boss, me, and the co-client manager. Below that we have two levels of domain admin passwords. To give out your password is a sure way to lose your job. LOL! We just lost our back up administrator because of that, and a few other things.

We regularly change domain admin passwords, but generally we don't do that with the labs. Unless, the lab supervisor suggests that it be done.

[TrailerParkJawa]

Local admin password the same on all machines but different from the domain password. The worst someone can do with a local admin login is fuck up his own machine, which doesn't mean shit to a typical admin since he'll just use Ghost to re-image it anyway.

Making the local admin password the same as the domain admin password would be a terrible idea. And making it different on each machine would just add a lot of headaches without much discernible security benefit. Who cares if a guy fucks up his own machine? Even if he gets a virus, the worst he can do is fuck up his own files on the server (assuming the permissions are set up properly on the server so he can't run around overwriting other peoples' files), and if that happens, I say it serves him right

If I am aware that all Windows 2000 machines have the same local admin password, I can go start-->run \\computername\c$ enter administrator and the local password and jack up that machine. Most users wont know that , but it could be an issue.