Security Basics mailing list archives
Re: Password Change Management
From: "Gaddis, Jeremy L." <jeremy () linuxwiz net>
Date: Wed, 01 Mar 2006 19:14:52 -0500
Matt Alexander wrote:
For example, let's say you have a group of admins with root/admin passwords to everything. Someone either leaves the company or leaves their cellphone (with all their passwords) in a taxi. What procedures do you follow to change the passwords as quickly as possible?
Responsible $user immediately changes passwords that were lost. If unable to for any reason (no access to the network, etc.) $user is to immediately contact another administrator who can change the passwords immediately.
How do you securely distribute new passwords to your admins?Do you keep a central password repository? If so, how do you ensure that the repository is completely secure?
Administrative passwords are stored in a data file used by "Password Safe" (http://www.schneier.com/passsafe.html) or similar. Data file itself is encrypted with a password and stored on an EFS encrypted volume. EFS certificates and NTFS permissions are used to protect the data file. The password used to encrypt the data file is only verbally communicated between users and policy is that it is *NEVER* to be written down or stored anywhere other than the mind. Administrators sign written document agreeing to policy, which provides for immediate termination upon determination of a violation.
HTH, -j -- Jeremy L. Gaddis GCWN, MCP, Linux+, Network+ http://www.jeremygaddis.com/ --------------------------------------------------------------------------- EARN A MASTER OF SCIENCE IN INFORMATION ASSURANCE - ONLINEThe Norwich University program offers unparalleled Infosec management education and the case study affords you unmatched consulting experience. Tailor your education to your own professional goals with degree customizations including Emergency Management, Business Continuity Planning, Computer Emergency Response Teams, and Digital Investigations.
http://www.msia.norwich.edu/secfocus ---------------------------------------------------------------------------
Current thread:
- Password Change Management Matt Alexander (Mar 01)
- Re: Password Change Management Gaddis, Jeremy L. (Mar 02)
- Re: Password Change Management Jakub Zvěřina (Mar 02)
- Re: Password Change Management Michel Pereira (Mar 03)