Administrator passwords are some of the most critical bits of knowledge you have on and about your network. The security of practically all other information is dependent on their secrecy. Yet all it takes is one uninformed or sloppy request for a Windows admin password, and your entire IT environment can be at risk.
It's a scenario familiar to many enterprise admins. Everything is chugging along fine until that dreaded moment when your boss says the business is undergoing some changes and he needs you to hand over all of your enterprise passwords. It could be the result of a merger or an acquisition, but that doesn't matter.
What's clear is that too many IT professionals have to wade through these requests alone. As with other IT-related initiatives -- especially around security -- it's suddenly you versus management. And you know who's going to win.
Recently, a colleague of mine (I'll call him Walt) experienced this very situation. One morning, Walt's boss, the chief financial officer, sent Walt an email stating that an executive at a partner company wanted all Windows admin passwords for his organization's Windows domain, local accounts and every other system and application under Walt's control.
Walt subsequently found out (off the record) that his company was being acquired. Needless to say, Walt was uncomfortable handing out passwords to whomever, given management's lack of understanding about the potential consequences of such actions. This was yet another case of business expediency trumping common-sense security.
More on Windows admin password security
Password recovery is useful because Office 2013 is crackable
Storage apps and devices can help with portable password management
How to use DocRecrypt to strip a password from an Office document
A checklist for enterprise password protection
Book excerpt: Hacking for Dummies on password vulnerabilities
Alliance works on authentication alternatives to forgotten passwords
After a sleepless night, Walt asked me for my opinion on his enterprise password dilemma. Foremost, I told Walt to be careful. There are a lot of moving parts in these business transactions, and the last thing he needed to do was put his job in jeopardy.
I told Walt that he needed to confirm whether this company's legal team had the foresight to, at a minimum, have the acquiring company sign a nondisclosure agreement. These documents aren't going to prevent a security breach, but they do provide a means for legal recourse if someone with ill intent steps out of bounds.
I also recommended that Walt find out how this third party was going to handle these Windows admin passwords. Careless people making hurried decisions tend to forget about how risky it is to store sensitive information on unencrypted mobile computers or unprotected file-sharing applications.
Walt wasn't going to get the data or truly ever know for sure, but it's good to show others that he was thinking about these things.
I told Walt that his biggest issue is that once he gives up enterprise passwords, all accountability is out the window. If suspect behavior or, worse, a breach occurs during this "minimal accountability window," it's going to be hard to determine who did what, when and how, especially if baseline security controls are not in place. Then who's responsible?
Password control can slip from your grasp, so you should think about how to protect yourself and your enterprise desktops and network. One of the best ways to minimize the effects of handing over all Windows admin passwords is to ensure that you have reasonable visibility and control over your Windows environment, including proactive audit logging.
Prevention is best. But you're not going to be able to think of all possible threat scenarios and vulnerabilities along the way, so a keen response plan is critical.
In the end, business has to take place. A desktop or Windows admin doesn't want to get in the way of mergers and acquisitions. That said, it is your responsibility to inform management about what can happen, along with the steps you're going to take to ensure the business and all parties involved are protected. Odds are great that no one else cares about enterprise password protection as much as you do.
This was first published in September 2013