Password management policy when an admin left the company ?

Discussion in 'Server Security' started by Eric, Jun 8, 2009.

  1. Eric

    Eric Guest

    Hello,

    we have approx 10 administrators in our company.
    We have several domains, several admin and services accounts stored in
    a protected file.

    Our problem is "What happens if one of the administrators left the
    company ?"

    As he had access to the protected file containing every passwords, he
    could be able to use it after he left the company.

    What is your password management policy in this kind of situation ?

    Thank you
     
    Eric, Jun 8, 2009
    #1
    1. Advertisements

  2. Eric

    Al Dunbar Guest

    What do you mean by "a protected file"? Is this a file on a server to which
    all 10 admins have access?
    An interactive, personal admin account password should exist in only two
    places - in the actual account itself, and in the memory of the admin
    account user. Nobody else has a reason to know the password. The account
    should be disabled and/or the password reset when the user leaves.

    The only time anyone needs the password of a service account is when the
    service is being configured. It needs to be
     
    Al Dunbar, Jun 9, 2009
    #2
    1. Advertisements

  3. Eric

    Al Dunbar Guest

    [continued...]

    stored for future use in a way that discourages unauthorized use. One way is
    in a sealed envelope in a vault under the control of someone other than the
    admins.

    Of course, you cannot make people actually forget passwords they have known,
    so it might not be a bad idea to change all of the service account passwords
    when an admin leaves. Of course, it is almost as likely for an admin who is
    not leaving to go rogue on you, so this could be overkill.

    /Al
     
    Al Dunbar, Jun 9, 2009
    #3
  4. Eric

    Eric Guest

    Thank you for your answers.

    So ok we agree that I need to change the password when one of them
    admins left the company (as the file is protected in a network storage
    location yes).

    now my question is "How can I easily change every passwords documented
    when one admin left ?"
    There is a big turnover so an automatic process should be better.

    I have heard about a solution from Cyber Ark but it's quite expensive.

    Thanks for your help.

    P.S: I precise I dont have 2008 R2 servers and the ability to modify
    easily services password accounts.
     
    Eric, Jun 9, 2009
    #4
  5. Hello Eric,

    Without 2008 R2 in the future i don't know a tool. If you have them well
    documented it wan't be a big problem, do it one by one after working hours.
    If not i think you have to check any server which service account is used.

    Best regards

    Meinolf Weber


     
    Meinolf Weber [MVP-DS], Jun 9, 2009
    #5
    1. Advertisements

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments (here). After that, you can post your question and our members will help you out.