Admin Accounts

Discussion in 'Computer Security' started by Leo, Sep 15, 2004.

  1. Leo

    Leo Guest

    My Co. has banned the use of privileged accounts (admin or Domain admin
    group membership) for day to day use within the IT group. This is, of
    course, a good idea but hard for most to swallow. The main argument is that
    if your not doing work that requires Admin Priv then don't use the account.
    Rather, use the 'Run As' function when Admin rights are necessary.

    The Argument is that in the event of a worm infiltration if an IT person
    gets infected it will not spread under the admin account but just a 'normal'
    user account.

    Is anyone else using this or similar practices? How did you sell it to the
    IT rank and file? Any thoughts or consideration are appreciated.

    Leo
    Leo, Sep 15, 2004
    #1
    1. Advertising

  2. Leo

    Jim Watt Guest

    On Tue, 14 Sep 2004 21:38:27 -0400, "Leo" <> wrote:

    >if your not doing work that requires Admin Priv then don't use the account.


    whats the objection to that?
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Sep 15, 2004
    #2
    1. Advertising

  3. Leo

    void Guest

    In article <41479b98$0$2650$>, says...
    > My Co. has banned the use of privileged accounts (admin or Domain admin
    > group membership) for day to day use within the IT group. This is, of
    > course, a good idea but hard for most to swallow. The main argument is that
    > if your not doing work that requires Admin Priv then don't use the account.
    > Rather, use the 'Run As' function when Admin rights are necessary.
    >
    > The Argument is that in the event of a worm infiltration if an IT person
    > gets infected it will not spread under the admin account but just a 'normal'
    > user account.
    >
    > Is anyone else using this or similar practices? How did you sell it to the
    > IT rank and file? Any thoughts or consideration are appreciated.


    Why do you have to sell it - any good IT person understands it,
    understands the reason behind it, and would welcome that the company has
    taken steps to secure their systems. Most apps and users don't need the
    Admin level of access except to install/change apps.

    --
    --

    (Remove 999 to reply to me)
    void, Sep 15, 2004
    #3
  4. Leo

    Kerry Liles Guest

    Many companies have that policy; it is a sound one. "Run As" was developed
    for just that purpose.
    unix users don't login as root, they use 'su' to switch user context to
    'root' = same thing.

    Nothing to sell except 'doing it the right way'



    "Leo" <> wrote in message
    news:41479b98$0$2650$...
    > My Co. has banned the use of privileged accounts (admin or Domain admin
    > group membership) for day to day use within the IT group. This is, of
    > course, a good idea but hard for most to swallow. The main argument is

    that
    > if your not doing work that requires Admin Priv then don't use the

    account.
    > Rather, use the 'Run As' function when Admin rights are necessary.
    >
    > The Argument is that in the event of a worm infiltration if an IT person
    > gets infected it will not spread under the admin account but just a

    'normal'
    > user account.
    >
    > Is anyone else using this or similar practices? How did you sell it to

    the
    > IT rank and file? Any thoughts or consideration are appreciated.
    >
    > Leo
    >
    >
    Kerry Liles, Sep 15, 2004
    #4
  5. Leo

    Colin B. Guest

    Leo <> wrote:
    > My Co. has banned the use of privileged accounts (admin or Domain admin
    > group membership) for day to day use within the IT group. This is, of
    > course, a good idea but hard for most to swallow. The main argument is that
    > if your not doing work that requires Admin Priv then don't use the account.
    > Rather, use the 'Run As' function when Admin rights are necessary.


    I can't imagine anyone in IT objecting to this. It's absolutely standard
    MINIMUM practice in the Unix world to "su -" when root access is needed,
    rather than logging in as root. Many shops don't even allow that for most
    tasks, and use something like sudo.

    > The Argument is that in the event of a worm infiltration if an IT person
    > gets infected it will not spread under the admin account but just a 'normal'
    > user account.


    That's not even the strongest reason.

    > Is anyone else using this or similar practices? How did you sell it to the
    > IT rank and file? Any thoughts or consideration are appreciated.


    You sell it by saying, "this is how it's to be done." If anyone objects,
    then they have to defend their objection with rational reasons. If the
    policy is set in place, then anyone who fails to follow it is shown the
    door.

    In general you shouldn't make policies without at least consulting with
    the people they affect, but this is an extremely common and sensible one
    with few ramifications for anyone but the lazy.
    Colin B., Sep 15, 2004
    #5
  6. Leo

    dono Guest

    On Tue, 14 Sep 2004 21:38:27 -0400, "Leo" <> wrote:

    >My Co. has banned the use of privileged accounts (admin or Domain admin
    >group membership) for day to day use within the IT group. This is, of
    >course, a good idea but hard for most to swallow. The main argument is that
    >if your not doing work that requires Admin Priv then don't use the account.
    >Rather, use the 'Run As' function when Admin rights are necessary.
    >
    >The Argument is that in the event of a worm infiltration if an IT person
    >gets infected it will not spread under the admin account but just a 'normal'
    >user account.
    >
    >Is anyone else using this or similar practices? How did you sell it to the
    >IT rank and file? Any thoughts or consideration are appreciated.
    >
    >Leo
    >

    ########################
    The way I heard it, it was to prevent important files or programs
    from being modified or deleted by mistake. I don't know that it would
    make a difference to a worm or a virus. Either way, according to
    some, I shouldn't be running my home PCs, FreeBSD and w2k, as root or
    administrator, but guess what, I do it anyway. Someone may have made
    a mistake for that policy to have suddenly be put into place.
    Everyone will get accustomed to it sooner or later.
    dono, Sep 16, 2004
    #6
  7. Leo

    Jim Watt Guest

    On Wed, 15 Sep 2004 23:06:16 GMT, dono <> wrote:

    >The way I heard it, it was to prevent important files or programs
    >from being modified or deleted by mistake. I don't know that it would
    >make a difference to a worm or a virus. Either way, according to
    >some, I shouldn't be running my home PCs, FreeBSD and w2k, as root or
    >administrator, but guess what, I do it anyway. Someone may have made
    >a mistake for that policy to have suddenly be put into place.
    >Everyone will get accustomed to it sooner or later.


    Its a very OLD security measure. Some of us were doing it
    that way on IBM System/34's Its also a good idea.
    --
    Jim Watt
    http://www.gibnet.com
    Jim Watt, Sep 16, 2004
    #7
  8. Leo

    andy smart Guest

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    Leo wrote:

    | My Co. has banned the use of privileged accounts (admin or Domain admin
    | group membership) for day to day use within the IT group. This is, of
    | course, a good idea but hard for most to swallow. The main argument
    is that
    | if your not doing work that requires Admin Priv then don't use the
    account.
    | Rather, use the 'Run As' function when Admin rights are necessary.
    |
    | The Argument is that in the event of a worm infiltration if an IT person
    | gets infected it will not spread under the admin account but just a
    'normal'
    | user account.
    |
    | Is anyone else using this or similar practices? How did you sell it
    to the
    | IT rank and file? Any thoughts or consideration are appreciated.
    |
    | Leo
    |
    |
    Actually, I can sympathise with this.

    If 'day to day' use is network management then pretty much everything
    you do requires admin rights. In a school pretty much all of our routine
    work involves messing around with other user's accounts and permissions :)
    -----BEGIN PGP SIGNATURE-----
    Version: GnuPG v1.2.5 (MingW32)
    Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

    iD8DBQFBSVZqqmlxlf41jHgRAkhMAJ0ak3WDimRaUb3smOvFtgaqHj3LBACdFg51
    bOSk4Nh6xAmlL9X09f0jbSk=
    =50fP
    -----END PGP SIGNATURE-----
    andy smart, Sep 16, 2004
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Replies:
    1
    Views:
    6,117
  2. Fred

    Can I have 2 admin accounts on xp?

    Fred, Feb 28, 2006, in forum: Computer Support
    Replies:
    17
    Views:
    804
  3. =?Utf-8?B?Z2RlbGxpbmdlcg==?=

    Admin User Accounts missing from Login screen

    =?Utf-8?B?Z2RlbGxpbmdlcg==?=, Jun 25, 2005, in forum: Windows 64bit
    Replies:
    9
    Views:
    1,046
    John Barnes
    Jun 29, 2005
  4. why?

    Re: Endless problems.... Admin accounts

    why?, Sep 18, 2008, in forum: Computer Support
    Replies:
    0
    Views:
    367
  5. Bobs
    Replies:
    18
    Views:
    533
    Enkidu
    Aug 25, 2009
Loading...

Share This Page