Single signon, but not what you wanted.

I previously discussed user-level security. This morning, I ran across this story about system administrators, and how they manage security.

It seems that system administrators are pretty careless with root-level security, and that the key to getting root may be finding the right Post-It notes. I keep the root passwords for all my systems (and a few passphrases for rarely-used encrypted volumes) on paper, but the paper is in my home safe. In fairness, I should add that they are in the safe not for security reasons, but to protect against fire.

I believe that the Institute uses a single password for all the Windows systems admin accounts. (Because I’ve seen sysadmin’s go looking for the password, which at least does get changed occasionally.) I’ll let you google methods for recovering passwords from a laptop you’ve managed to capture, and point out what this means: Once you have admin access to one Institute Windows system, you have them all. I don’t know for sure that the Macs use the same scheme, but I bet they do. I’ll be they have (one) different password, though.

Carl and I touched on this in a discussion yesterday: We rather doubt that the Institute has a current, accurate list of the computing assets we own, and that we permit to have access to our domain. In addition to being a problem from the standpoint of property management and effective use of resources, this is also a security problem.

Addressing this requires devoting time and attention, and people to work on it, all of which are in somewhat short supply right now. Hopefully it won’t take an actual catastrophe to up the priority.


Explore posts in the same categories: Process Change, Security, Software, STScI

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: