No announcement yet.

USB keys for restricting local Admin account on servers

  • Filter
  • Time
  • Show
Clear All
new posts

  • USB keys for restricting local Admin account on servers

    Hi all,

    As part of security audit requirements I need to restrict access to local administrator accounts & passwords on a number of Windows 2000 servers but make them available in the event of issues or disaster recovery.

    A sensible way of doing this seemed to be use USB Keys placed in a safe with access to the safe restricted and who uses the keys documented. Under normal circumstances people would use the server admin account they have on Active Directory for all day-to-day sysadmin work and only get the keys in emergencies where the server was off the network etc.

    There's a lot of software out there that will let you use USB keys for automating desktop logons but nothing that seems to be aimed specifically at this type of thing. I won't be allowed extend the Active Directory schema or add something that requires additonal servers on the backend to work and there is no intention to deploy a token-based logon system to desktops.

    Has anyone come across something that would fit the bill or seen a better way of doing this type of thing that doesn't rely on writting down passwords, spreadsheets or databases to store all the account details?

    Thanks for your help.

  • #2
    Re: USB keys for restricting local Admin account on servers

    There is no real 100% safe way of doing this. USB keys can be copied or go faulty so you would need 2 copies of the key just incase.

    The way we do it is to have it all written down, 2 copies with one held in a signed envelope in the company safe and another held off site in a safe deposit box. This at least ensures that we have a copy in the event of a fire at the office.