Should I provide my password for client domain, considering the following.

Hi All,

I hope you can all help. Those with a foundation of security would be especially welcome; however opinions always offer some weight, even if from a non IT background.

I have a question regarding IT Security and Non Repudiation.

I have been in a work environment recently where I have performed the following on a whole.

1. When first starting everyone in the company was using one general admin account with "all power" permissions to administer the network.
I implemented a policy to make sure individual admin accounts where created for each IT Person; for accounting purposes.
All 3 personalized admin accounts setup have equal and full administrator permissions on the domain network.

2. When starting all passwords, including admin accounts etc.. where stored in an excel spreadsheet.
I moved this to an encrypted lastpass database; that was moved to a central platform later on for on the road IT staff.
Everyone was given access to the centrally system; however due to myself being occupied with a specific client; left management to another internal IT staff member.

3. The client which I did the above for has kept passwords of all its staff in an excel sheet; which I have advised against; however my reasoning has been ignored for control and I guess what might be a lack of trust of our IT company.


I have recently complained to my Directors(no managers, small company) about illegal activities that were taking place; such as providing unathorised access to data that was not approved by the client. Financial records which are very sensitive in nature.
Sometime later I was off on sick leave and I was advised that the Windows Deployment Server was disconnected from the domain and they needed my user domain account password?

The part that puzzles myself is that they each have there own Domain Admin account under there own name; and likewise the local administrator password should be in Lastpass.
I do know they could reset the local administrator password; and sent themselves a guide. However should I provide my domain account password, from my understanding this would breach non repudiation in security; and reduce accounting or the authenticity of my account.

Many Thanks,
Shawn McKendrick
Shawn McKendrickAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
correct you should not as there is absolutely no need unless you are separating from the firm. The other is that they can as easily reset your password that will be recorded if you have auditing enabled ...

Agree, having/maintaining all users' passwords in any way that is visible eliminates accountability as each can claim it was not them......

If the client has sensitive, financial, other information subject to regulation, having multiple admins with full rights does not restrict as needed
Allocating specific rights.. while .....
nociSoftware EngineerCommented:
There is a reason for having separate accounts.
It is called aucantability. Meaning one has to stand up for things done through that account.
The account should have all rights for the work that needs to be done, or the work needs to be adjusted to the rights that are available.

To allow for separate accounts the users need to identify themselfves to the account, Either through passwords, or through RFID keys, Security Calculator, or other ways to provide something known and possibly something in possession.

And lists of passwords lying around, or using "public" accounts etc. should be forbidden.
The alternative is to abolish any security al together and lift the "fake"-security, and convert the whoe setup to a free for all.
btanExec ConsultantCommented:
User is to have user right. Admin is to have administrative right. So you shouldn't share your password and in fact, no one should just shared their password with others. The account is to uniquely identify  as once authenticated, the individual will then carry this identity and attain the set of authorisation rights designate to access the resource accordingly. It is based on role and adopting least privileged approach using a developed access matrix. On a "need to" basis. And you should not be the only admin around with the operational permission to deal with the operation of the system.

I understand there may be adhoc request at time to request for admin right roles for a short period and that need to have a workflow build into it such that request is put up, it is reviewed & supported by supervisor and approval will be from the IT admin team.  Audit trail is established for proper accountability for every activities taken.
SolarWinds® VoIP and Network Quality Manager(VNQM)

WAN and VoIP monitoring tools that can help with troubleshooting via an intuitive web interface. Review quality of service data, including jitter, latency, packet loss, and MOS. Troubleshoot call performance and correlate call issues with WAN performance for Cisco and Avaya calls

serialbandCommented:
They should have had a separate administrator account to use.  If they don't know how to get access with their own admin account, they have no business getting your account password.  Never provide your own administrator password to anyone else.  They have the power to change it if they want access to your account, that way, there is a record of a change by the other admin.
mbkitmgrCommented:
I have a simlar predicament with a LAW firm, and they are the only client who does this.

Sharing a login - prevents accountability.  If more than one user can log on with the same account, you can not easily determine who is commiting an act that may be against company policy or illegal.  If you go to terminate that employee, they can dispute that it was them very easily.

Domain Admin Login - ensures that any malware initiated by a user with domain admin access, also has full access to every PC and server and storage device on the network, and can allow it to infect any of these without hinderance.  If the users only have "user level permissions" the damage is mostly confined to the workstation they are on

If security on shares and folders is set correctly, staff do not need other users credentials.As an example, Finance team have edit access to Finance folder, so any member of that team can access content created by fellow team members. If other users need access to finance, they email the Finance manager who in turn lets me know to add the user.  This negates the need for sharing the login.

It also does not address employee privacy unde the laws in our country (Australia).  Employee data garthered by Payroll or HR is subject to privacy restrictions and any employee caught accessing the data of another is subject to prosecurtion, but also the company on your situation.
AlanConsultantCommented:
Some things I do generally, and would do in your situation:

1) I have a separate password for each account, regardless of whether it is on a single domain, website, or across them globally.  I use a password manager so this is viable.

2) I would never give anyone a password I have setup unless they had authority to request it, and the request was in writing (gives an audit trail).  I would try to avoid this though - see (3) below.

3) In the situation you describe, as others have said, If anyone said they needed my domain password, I would have them login as a domain admin, and change my password, then use that new one.

4) I have 'qualifiers' for clients, and one is that they have separate users setup, with LUA principles, and nobody is sharing / disclosing their password with others.  I would accept a client that is not doing this, but they would have to agree to move away from it to a 'better practice' within a reasonable timeframe, and if they reneged on such an agreement, I would, after discussing with them, ditch them as a client if they won't comply.  Let someone else have them.


Could go on forever probably, but I hope the above at least assists.

Alan.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
IT Administration

From novice to tech pro — start learning today.