Free Republic
Browse · Search 		News/Activism
Topics · Post Article

To: nickcarraway

In a well-run organization, this sort of thing is not allowed.

If a sysadmin needs to make a change that requires root access, he needs a valid approved change number, where the exact change to be made is documented. He enters that number into a password control system, and draws the root password. That password is only good for the time period specified in the change control.


7 posted on 06/10/2013 12:20:22 PM PDT by proxy_user
[ Post Reply | Private Reply | To 1 | View Replies ]

To: proxy_user

What happens when your change control system is down because of a systems crash. There always has to be a known root password or otherwise bad things happen. At the very least, it should be written down and stored off-site.


21 posted on 06/10/2013 12:52:20 PM PDT by ClayinVA ("Those who don't remember history are doomed to repeat it")
[ Post Reply | Private Reply | To 7 | View Replies ]
To: proxy_user
In a well-run organization, this sort of thing is not allowed.

If a sysadmin needs to make a change that requires root access, he needs a valid approved change number, where the exact change to be made is documented. He enters that number into a password control system, and draws the root password. That password is only good for the time period specified in the change control.

Not all companies have that level of access control, however, we have systems that log every change to Active Directory, and we have to document every single change. Those changes are then audited by our Sarbanes-Oxley 3rd party audit firm. Any change MUST be justified by management.

Mark

28 posted on 06/10/2013 2:29:58 PM PDT by MarkL (Do I really look like a guy with a plan?)
[ Post Reply | Private Reply | To 7 | View Replies ]

Free Republic
Browse · Search 		News/Activism
Topics · Post Article

FreeRepublic, LLC, PO BOX 9771, FRESNO, CA 93794
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson