Having a backdoor account (that is a username/password that can login in to an a

Question

Having a backdoor account (that is a username/password that can login in to an administrative account on all machines) can be very useful for IT staff. However, some believe it's a security breach. What are the pros and cons?

Pros

- access even if user forgets password
- access whenever is convenient, for example if user of machine is away on vacation
- another reason I just discovered is because if the user is non-technical they may misunderstand which password you are requesting, for example if they are running virtual machines.

Cons

- may not be feasible when there is confidential information on the machine
- A manager once told us that the company didn't have a backdoor account so that if something went wrong the finger could definitively be pointed at the end user

The last point doesn't really make sense to me. Most people would quickly hand over their login information to an IT staff. Even if they choose to type in the password themself, it's unlikely they will stand there the whole time and wait until the IT staff logs out. Furthermore if an IT staff is malicious then it's unlikely not having a password of a end users machine will stop him.
In a company is it good to have a back door account?

Explanation / Answer

I am going to answer your question as a generalization of my real world experience.

Except for BYOD (Bring Your Own Device) workplaces, I would say that most work places supply their employees with the computers they are using. Which means that legally speaking the computers and whats on them belong to the company. Most companies will also have some form of IT policy that informs the users that any information they do at work while paid are also property of the company, such as e-mails sent, etc.

All companies I have seen that are large enough to have IT, have local admin accounts to access computers. This is because in my experience companies care more about convenience than they do security. Sure there is the exception, but trust me, most executives, and managers just want you to be able fix their computer with as little input from them as possible. Most companies will also have their domain admins group as a member of all computers local administrators group.

That being said, if a company is security savvy enough to not have a shared local administrator account on each computer, then they likely will have a pretty strict IT policy that tells you never to give your password to anyone, that includes IT. IT should never have to ask a user for their password. You can ask a user to login for you, to do something for them on their local profile, but you should not need to ask them for their password. Users will try though and it is your job as IT to correct them.

That being said I also believe that little of value should be stored on company workstations, local folders should have roaming profiles, or be mapped to a server, or have mapped folders, in which it is the company policy to store all your files on a server.

If this is followed properly it makes for much better security if a device is lost, recovery when a drive fails. It also makes backups much easier.

I know I answered a lot more than just your question, but I figured it may be helpful.

Related Questions

Navigate

• Browse (All)
• Browse H
• Subjects

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.