Today I got a question that reminded me that I have not written a whole lot about how to manage the accounts used by system administrators. The question was whether I could think of any reasons why you would share an administrative account between several people, other than for the sheer convenience of it.
My answer is that I cannot think of such a reason. There is one edge case, used in ultra sensitive environments, where you share an account between multiple people, but each of them knows only a portion of the password. This is not done for convenience though, it is done so that no single one of them can make changes without the others knowing. The system could only be compromised through collusion between them.
Other than that, I cannot think of a single good reason for sharing administrative accounts. In general, there are two extremes when it comes to this. On the one side is a single account, used by everyone, for every purpose on every system. On the other extreme is an account per purpose, per person. Somewhere in between is the happy medium.
We have tried getting closer to the multi-account extreme here at Microsoft, but it is causing some pain for administrators. We also use Smart Cards for high level administrative accounts. I have heard of people who have as many as 28 of these Smart Cards to keep track of. This obviously inreases security on one side, but at the same time, you have to imagine that the administrators will eventually start looking for ways to circumvent the policy for their own convenience, thereby decreasing security. One might argue that they should be able to deal with this level of complexity and that this is why we pay them so much, but as most people do not think they are paid enough, they will try to make life easier on themselves.
Where exactly the happy medium is probably differs by environment, with risk management philosophy, and with the quality of the administrators. However, unless you start with some form of analysis of the security requirements of the systems, and classify the systems into different categories of requirements, there is very little chance to get a reasonable division of the accounts. Again, risk management and thinking about the security requirements underlies all the other things we do.
We have a situation here with a group of people accessing a single account - it's nominally a service account, but it uses Outlook to send messages about its state to various mailboxes. When the Outlook component goes wrong, someone actually has to log on to the account to find out what the message was.
The answer, of course, is to rewrite the Outlook component so that it doesn't use Outlook.
In full disclosure -- the Administrator account, password, the Blog admin credentials of the web site www.msmvps.com are known by six people.. one in California (me), one in Florida, one in Australia, one in Iowa, one in Ireland and one in Redmond.
The trust and truck and asset factor.
The five other people besides myself that know these credentials ... they are like my big brothers (even though most are younger than me.. but I'm blonder than them). I would trust them with my life. I'm dead serious about that. Professionally and personally they are above reproach in my book.
As geographically diverse as we are... the likelihood of all of us getting hit by a truck and therefore no one able to step in and take over is extremely low. Thus there is a disaster recovery angle to this. Any one of us could be hit by a truck, a natural disaster, a power outtage.. and we provide 24/7 coverage support for the blog administration.
Now obviously... the thing that we are holding the shared accountability for isn't that much of value. A SQL database full of rants, tech notes and blog spam isn't all that valuable.
Thus when you have a situation of Trust, Truck and Assets, I would argue that sharing of credentials can be a reasonble risk to take.
..but how many businesses build their livelihoods on the major asset being a collection of rants, tech notes and blog spam? Last I checked... not many. Thus when you have 'an asset' you need to be accountable for..... that's when you need folks to be 'ac-counted' for.
Much as this may shock you Susan, but if any of the six of you were hit by a truck, the first thing I would miss is certainly not the blogs.
I have come across certain dodgy server applications that, due in part to their age and the way they were written cannot be installed as a service. They have to run within an interactive session and they require (at times) monitoring. Obviously, these applications also require administrative privilige.
Therefore, the account used to run these applications must remain logged in. In small companies, this quite often results in the administrative account used being known by a number of people. In small companies, this might not matter that much - Susan's "trust, truck and asset factor" - but in larger organisations that have the resource and money to ensure that these sort of situations do not occur, there is no justifiable reason why and administrative account should be shared amongst multiple people.
Of course, one still has service accounts with administrative privilige and, in most cases, the credentials to such accounts are documented - it's an operational requirement.
Should a rogue admin wish to hide his tracks, he only has to subvert one of those accounts to effectively anonomise his actions. One can always audit access to such documentation, but it's another layer of complexity to put in place. Of course, most MS applications don't require service accounts with admin rights any more but there are exceptions...
Essentially, we're up against the same security triangle. Security, cost, ease of use ... pick two.
There seems to be a disconnect between different sections of Microsoft on the best use of an Administrative account. That is not really surprising considering how large the organization is and that each section will be looking out for its own products and technologies first.
This comes up because the security gurus are telling network and system admins to delete the Administrator account or set the password for it to be different for every machine; but on the other hand, to get WMI scripts to run on remote machines, the person running the script has to be logged on with an account that has admin rights across the organization and the passwords can not be different.
So, as has already been pointed out, you have to choose between ease of use, so you can run a script once to collect all the information you need, and security where that script must be run locally every time you want the data. If Microsoft really wants to promote more secure computing, something has to change.
Dan, I've seen many of those apps as well. I can't tell you much more than that they are fundamentally broken and should not be used. I have had them as well, and had to use them. I also made sure that the vendor go no more money until they implemented the app as a service as they should have done in the first place. That is really the proper way to do it, and until the customers that pay them start enforcing that, the vendor's will keep writing apps that are really designed to run on Windows 95.
Jonathan, there is probably disconnects. It is hard to chase down all these, but I try when I find them. For instance, I was able to get the password assessment page for consumers improved.
That said, using an account to run remote WMI scripts on several systems is not necessarily a problem, as long as you use a domain account. That is really what they are designed to be used for. The problem comes up when you expose systems with one set of very sensitive security requirements to systems that are not as sensitive, by using the same accounts on all of them.
Setting passwords on all those Administrator accounts is a hassle. That is why I wrote the passgen tool for the book.