Send
your Windows question to Mitch today! | See
other Windows tips


You've got a room full of business-critical servers. The room has a cardkey
lock that requires pin entry as well. The servers are rack-mounted and are locked
in their respective rackmount enclosures. You usually manage these servers remotely
from a secure workstation in your office, but as a failsafe option you can also
log onto them locally inside the server room if you need to.

For purposes of managing your servers remotely, you need to use administrator-level
accounts. Because the servers are domain-joined, you can use a single Domain
Admins account to manage them, and you assign this password a strong (long and
complex) password to safeguard the account. But each server also has its own
built-in local Administrator account, and you want to make sure that account
is secure too. However, the only time you would use these built-in accounts
would be in a last-ditch situation where you had to go into the server room
and log on interactively to the servers, for example for disaster recovery purposes.


Of the following three choices, which would be the best approach for securing
these built-in Administrator accounts? And which would be the worst approach?

(A) Give each server's Administrator account its own strong password that is
unique to that server.

(B) Give each server's Administrator account the same strong password.

(C) Leave each server's Administrator account blank

The best choice given the above scenario would be C, while the worst would
be B. Why? The best choice is C because from Windows XP onwards, if the password
for an account is blank then you can't use that account to log on over the network.
In other words, by leaving the password blank for each server's local Administrator
account, you are automatically making it impossible to use these accounts to
manage the servers remotely over the network. The only way you can log on with
these accounts is if you have a cardkey, know the pin, and have the key to the
appropriate rack.

This advice may seem counterintuitive -- after all, how can an account with
no password possibly be secure? Well it is in Windows, but only if it's used
over the network. If someone did get physical access to your servers, they could
of course easily log on as Administrator and wreak havoc on your business. Does
that make you nervous? It shouldn't -- you would be better off worrying about
the different ways someone might get hold of a cardkey, obtain the pin, and
get their hands on the keys to your racks.

As for the worst approach, my vote is for B for two reasons. First, by giving
these built-in Administrator accounts a password, it means you could use them
to log on to your servers over the network, which means you've got an accident
waiting to happen. And second, by giving all these accounts the same password,
it means if you do log onto one of your servers remotely and your administrative
workstation is compromised, then all of your servers have been compromised.

My thanks to Jesper
M. Johansson for enlightening me to this way of thinking concerning securing
Administrator accounts. I've mentioned before that Protect
Your Windows Network is the best book on Windows security out there, and
Windows
Vista Security: Securing Vista Against Malicious Attacks is another great
book Jesper was involved in writing. Well, just wait until you get your hands
on the Windows Server 2008 Security Resource Kit from Microsoft Press, which
you can pre-order from Amazon today. Jesper is lead author for this upcoming
title, and I'm involved as the technical reviewer, and I can tell you right
now that this will be one book you'll definitely want to have on your bookshelf!

ITworld

• Email
• Print
• Share
  • Slashdot
  • Digg
  • Stumble
  • Reddit
  • Newsvine