If your IT manager took off tomorrow, or worse, got hit by a bus, would you know where to look for the administrative-level password he uses to run your company’s computer network?

It’s not a trick question. In fact, it’s a question IT security consultants routinely pose to new clients to find out what they’re doing — or not doing — to safeguard their computer networks.

The importance of adequately managing high-level IT passwords hit home in July, after a disgruntled network administrator went to jail rather than divulge the password he’d created to lock up a multi-million dollar computer system the city of San Francisco’s technology department used to store payroll files, inmate bookings and other sensitive files.

The incident exposed the reality that even large organizations don’t always do what they should when it comes to high-level administrative passwords, which IT managers also call super-user or “God account” passwords.

But business owners need to do a better job of managing network passwords because Sarbanes-Oxley, HIPAA, and other state and federal regulations as well as credit-card processors have set standards for digital information security that demand it.

Keep passwords under lock and key

One of the best ways to guard against sabotage or accidental disaster is to avoid using top-level administrative passwords as much as possible, says Irving Popovetsky, principal consultant with ProStructure Consulting ^[1], a Portland, Ore., security firm. Choose one high-level person, preferably the IT director, company officer or someone else who’s personally liable for happens in IT, and entrust them with the password. “But it should never be used except in emergencies,” Popovetsky says.

Instead, lock it away — in a bank vault if you have to — and have that person use a separate account for daily tasks such as reading e-mail, visiting websites, or using software programs. Popovetsky suggests that any IT staff person who has access to a password for even a portion of a company’s computer network also be required to use a separate, second account for routine daily tasks. Why? For one, it makes it easier to audit activities in accounts used for network administration and maintenance to see who’s making changes to what. Even more importantly, it eliminates the risk of a hacker breaking into one of those high-level administrative accounts and using it to steal company information or launch a Trojan horse or other vicious software program, Popovetsky says.

Companies should also practice what IT security professionals call role-based management or the principle of least privilege, where employees have the minimum access to the company’s computer network they need to do their job, says Javed Ikbal, principal at zSquad ^[2], an IT security consultant in Boston.

Non-knowledge workers such as secretaries or call-center employees don’t need full access to their own workstations, so there’s no reason to give them administrator passwords for the machines. On the other hand, programmers and other knowledge workers need some additional administrative rights in order to do their jobs and their passwords should be tailored accordingly.

Other password precautions

Other steps companies can take include the following:

• Change the name of system administrator accounts. Hackers look for default names for administrator accounts, such as “Administrator” on Microsoft systems and “root” on Unix systems. Foil them by changing these names to something hard to guess. Popovetsky’s clients have changed the names of their administrator accounts to “Barney Rubble” or “Fred Flintstone.” “That right away reduces the risk a little,” he says.
• Use strong passwords. Make passwords for top-level accounts hard to crack by using at least eight characters and including mixed capitalization and at least one character that’s not a letter or number.
• Be consistent. Companies often use strong security measures around key computer networks but not on other, less critical ones. That’s short-sighted because hackers can use the less critical systems as a way into the more secure ones. It’s like putting a lock on your front door but forgetting to close the window right next to it, Popovetsky says.
• Use software. Companies that run Microsoft-based networks can use a free program called Microsoft Baseline Security Analyzer ^[3] to scan servers and workstations to see if they’re running under optimum security settings, and if they’re not, get recommendations for what could be changed.

According to Ikbal, companies can also use privileged identity management technology to secure, automate and audit passwords for applications, databases, and servers. Companies that make PIM technology include Cyber-Ark, e-DMZ ^[4], Quest ^[5], and Symark ^[6].

But don’t rely entirely on software for protection. IT security is a process, and a business owner who uses software but doesn’t change their security procedures usually finds out the hard way that one doesn’t work without the other, Popovetsky says. “The problem with security is it’s hard, it’s really hard. The deeper you get into it, the more complex it is.”