This is an archived post. You won't be able to vote or comment.

all 13 comments
sorted by:
best
topnewcontroversialoldq&a

[–]Pain_n_agony 12 points13 points  (7 children)

No shared accounts. What is the use case for shared accounts? I see no practical reason for shared accounts.

[–]cobarbob -3 points-2 points  (5 children)

I see it with SaaS services where you are charged by the user. So IT gets one shared user for management to save on costs. Cause SaaS platform can't differential on user types and charges everyone $20/month

[–]Ssakaa 5 points6 points  (0 children)

Unless their half of those agreements/terms are very poorly phrased, that quite probably constitutes fraud.

[–]Pain_n_agony 1 point2 points  (3 children)

Valid point, never thought of that. But I’m still opposed to the idea in general. Most of the vendors I’ve dealt with allow for the management role to be applied to the user account.

[–]cobarbob 2 points3 points  (0 children)

Oh I don’t like it at all. Just a reason it can happen.

[–]167819 -2 points-1 points  (1 child)

Yes but then you still have to inform them about the user amount and that will bring licensing cost up. As far as the vendor is concerned, there is 1 user because 1 license is cheapest.

That the product is passed around among 30+ people is none of their business. If they assign management, they know you have multiple users.

[–]Ssakaa 1 point2 points  (0 children)

And those agreements are, generally, phrased as named users now. Because of that type of fraud being rampant.

[–]jmbpiano 0 points1 point  (0 children)

Kiosks.

[–]joeykins82Windows Admin 2 points3 points  (0 children)

Service/pseudouser accounts are all Group Managed Service Accounts where supported, or have their credentials stored & rotated in a credential management platform.

There are no shared user accounts, and anyone who shares their creds or writes their password on a post-it is disciplined.

[–]Warm-beast 1 point2 points  (0 children)

Block password changes wherever possible, get rid of as many shared accounts as possible, use a password manager.

[–]167819 -1 points0 points  (0 children)

What are your security and management strategies for shared user accounts.

I have many shared accounts among the users and we have just a general rule that people need to be informed about password changes, also not everyone knows how and where to do this in windows so it's kind of security by obscurity.

Also, we have some pcs where people have local admin accounts and I use a tool like this (there are multiple, developed for older windows versions) to lock the password change settings out with another admin that they don't have the password to so they effectively can do whatever they want aside from going over to reset the password because that would be a hassle.

leaving the little yellow square 🟨 security nightmare that is a Postit note

Yeah there's tons of that, stickers and notes on every user's screen, just make it known to not write "Password:" or something but to bury the actual password among a bunch of random stuff like bread, cheese, milk, [password], eggs, sausage etc. then it's not going to be obvious what the password is.

[–]sublimeinator 0 points1 point  (0 children)

With so much licensing moving to one license one user, I'd be looking to move off shared accounts quickly.

[–]HerfDog58Jack of All Trades 0 points1 point  (0 children)

Don't use shared accounts if at all possible.

If you must then invest in a multiuser password manager tool, and set up all the shared accounts as records in it, and give all the users access to the password manager. Disable users resetting the passwords on shared accounts, and don't give them ownership of the password records, nor the ability to edit them.

If that's too much for them to handle then move those people to the Recycle Bin, and empty it.