Who Has the Password?
Over the years since Arellia released Local Security Solution, we have heard a number of interesting stories about the administrator password. The genesis of this product came directly from customer feedback after an interesting audit experience. In summary, the IT security auditor used a password cracking tool to find the local administrator password on one computer. This could have been any unlocked computer in any cubicle and there are myriad of free password crackers you can download from the internet: Cain and Able, John the Ripper, RainbowCrack, OphCrack. Most of these tools use a brute force or dictionary method to determine the passwords for the accounts on the system. Depending on the number of local accounts and complexity of the password, these tools can provide a list of passwords in minutes to hours. If the auditor picked the right computer, this could be done without anyone noticing. Once the auditor had the password, they went into the office of Vice-President and demonstrated how they could log on to their computer using the same credentials and access all local information.
The scenario described above is fairly common in our experience due to some manageability needs. Most organizations create a local administrator account for the helpdesk team to address support calls. In an effort to simplify the management of such accounts, each desktop\laptop in the organization has the same account with the same password so helpdesk doesn’t have to struggle to assist end users. This user and password usually comes via the standard image. Often times this account and password combination has been around for years without changes. Find out one password and you can log into every desktop\laptop in your organization. It is hard to blame any IT team who takes such an approach as it is efficient and managing hundreds or thousands of individual passwords is a nightmare.
Other interesting stories around managing local administrator passwords include the IT administrator’s equivalent of a sticky note: the spreadsheet. We have spoken to many organizations where they managed numerous passwords, often times for different servers, using a spreadsheet. An administrator needs to do work on a server, goes to the network share with the password spreadsheet, opens it up to get the password and off they go fixing the server. Everyone knows that keeping your password on a sticky note affixed to your monitor is bad, but what about a big spreadsheet? Who has the password and when was it changed.
We continue to hear variations of these stories and too often they are accompanied with examples of abuse where an administrator accessed a computer they weren’t supposed to access or did something malicious before leaving the company. All of these stories are drivers for Arellia’s Local Security Solution which manages the provisioning and passwords for local accounts. Passwords are rotated and complex as set per policy and unique to each machine so cracking one password doesn’t unlock the entire organization.
So who has the password in your organization?
Arellia has been providing security configuration solutions on the Symantec Management Platform since 2006. Products are available from Symantec and partners. For more details on Arellia products, attend an upcoming webcast.