I’m trying to figure out some best practices when it comes to accounts that we as a IT support provider should have on our customer servers when doing work. I’m really against sharing generic accounts to do work, but it becomes really difficult to have each technical person with their named account across several different customers. Each customer has their own active directory on premise, so basically we need to create the same account several times on each customer and manually manage the passwords.
What are the best practices used for a scenario like this? What are the options in your opinion?
We often create accounts for us and use a high entropy password password for each client. But, if they are fall under some type of compliance then you should create an account for each of your techs that log in so there is a log of anything that was done by each person.
We also create a named support account that we use for customer support with a random long password.
How do you guys handle the default admin account? Disable? Give to the client?
Creating a shared account with a complex password is where I’m starting at, but that doesn’t really provide much security in my view.
We use remote desktop manager from devolutions to manage connections and credentials, which works pretty well, but still you have a bunch of people using the same shared account which I see as bad practice.
What I’m looking for is how to manage this as the only way I’ve found so far is federated services getting the customers active directory and mine recognising accounts across the domains, that way I can get my guys using their own credentials to login and I can also control those better. But if you think about federating with all your customers also can be a problem when they don’t have AD or only use macs.
Perhaps something like jumpcloud but that works for IT staff? I’m a bit lost.
How companies that take care of many customers fully can manage credentials and access safely? if 2 people use the same account for me that is a risk in my opinion.