Password Security and Network Administration

[haknwak]

Anyone out there have situations where they need to be able to login as a particular user on their network for troubleshooting purposes? Make the situation even more sticky when that person is not in the office. That person's station is locked out with password protected screensaver (WinXP or Win2K.) That machine is running a three day select or load on a database of ten million+ records.

As network admin I can go ahead and login to the machine as domain admin user - no problem - except that this three day select or load will be halted. The results of this process are my company's bread and butter so it cannot be halted. Not to mention the possibility of corrupting data by stopping the process midstream.

I understand the fundamentals of password security. From all I read, each user is to have a private password "X" number of characters alpha, numeric, capitals and symbols, non dictionary blah blah blah. The user is also to have complete control over their password and it is not to be shared with anyone. The list goes on and all of it I understand.

How would you address this situation in a network with 100 unique logins any of which I may need access to at any time as the user who normally sits at that station. Do you recommend a separate database of users' passwords encrypted and accessible only to domain admins? Does one just throw their hands up and say that nothing can be done until that person returns?

Any recommendations of experience that you can share would be greatly appreciated.

Haknwak

[Geric]

Create a regular user for maitaince. Make it a default part of setting up the machine.

[haknwak]

Geric - that already exists - domain admin (me) can login to any machine in the domain as himself. Problem is that all processes running under the old login are stopped - that three day long database load - that's what cannot happen.

Also - there are oftentimes security related problems with a particular user - problems best troubleshot by logging in as that user and trying things. Maybe rights to shares, other servers or domains.

[wander]

Just a suggestion, You could try to run the processes under a local system account rather than a Domain\User account.If that doesn`t work for you, try to run under a Domain\group account where you and the user are part of the same group.
Is the database that you are working with a M$ SQL database??

[haknwak]

yes it is - but in microsnot's wonder of "security" when an XP or win2k machine is locked the ONLY way to unlock it AND ensure that all running programs continue is to unlock the station as the same user that originally ran the program.

Effin Blows!!

Gotta be some security precedence for this somewhere. Wonder how NASA or DOD handles situations like this?

[netman4ttm]

Post this question to the news group microsoft.public.sqlserver.server

[DBEAUCHAMP]

Unfortunately, I don't think there is a legal way of doing it without having the user's conscent ! Even if you are a Administrator of the domain.

Have u tried to change password on the domain and to see if this could help ? I'd be surprised though since I think that the token having the password and all as to be remake on the next user login or establish a password change by the user itself.

I don't know, but is there a law that could permit you to get your user sign a kind of legal conscent that when this kind of situation happens, they'd let you use a software like @stake LC4 to get their current password and then unlock their station and finaly make sure to inform the user of the changes made to their account ? If so, here's your solution...

Good luck !

[netman4ttm]

IT CAN'T BE DONE!!!!
If you log in as anyone other than the idiot who decided to run the program, Windows will kill the program and I wouldn't want to bet that it will be elegant.
You have to go to the server and kill the process at the server.
We used to run SQL server (now using PostgreSQL). The nice thing about SQL is that if it is done correctly the data stays intact; of course with Micro$oft that could be an issue.

[dAggressor]

You could also talk to your boss about implementing assigned passwords to users which they cannot change. That would give you access to each account (since you know the passwords) and it would also ensure that they are using a "secure" password. That would be my suggestion.

Not sure if this would work on a windows system (since I work in a unix/linux based environment) but couldn't you also change their password on the server then use that password to login to the machine and have them change it to whatever when they return?

Hope this helps a bit.

[droby10]

why not run the long process as a daemon...err. system service for windows. thus avoiding the logged-on process dependency.

it seems that i got a gray with no description for my last suggestion...i have no idea how to interpret that feedback.

- so i'll provide another option.

if we're talking about ms-sql then the query could be built into a dts package and scheduled - so that client interaction (workstation in question) is not even needed. the same can be done with pl/sql and cron (there might even be an oracle internal mechanism...i'll never claim to be an oracle guru).

and while we're at it...

you could deploy your own gina implementation such that multiple terminals are supported locally. this is more of a development solution rather than an administrative one - but hey whatever works.