Do you have a broken glass account? Are you ready for your environment to survive if you are not there anymore? Do you consider the hit by a bus concept to be a joke?
So I am sure you all have heard of the old “hit by a bus” concept. This is the idea that in case something happens, there is documentation on running the network somewhere. This somewhere is known by the company’s management… and normally more than one member of that management.
Okay, so you knew the concept, but it is kind of joked about in the industry yes? Yes it is, by people who have never been there. My first example of needing this in my day to day work was when a Domino Administrator went hosteling in the nineties. He left, and the company had problems. And of all the security had been done just to him, not to a group… so no one else had access. Back then we could use a brute force hacking program and get in. We still can if you don’t do your job on passwords. But if you do… how do you get in to support? This last year I have ran across two clients who primary network people really did die. Some of the documentation was there… some wasn’t. Happily, a “broken glass account” was not needed.
So what is a “broken glass account”? The name comes from the old fashioned breaking of the glass to pull a fire alarm. What it means in information technology is a little different. It refers to an account that is documented with user name and password, and normally kept on paper in a safe that allows a person who does not have access privileges to gain those access privileges when necessary.
This allows you to keep auditing clean by not leaving active users passwords written down, and at the same time allow access at need. Auditing should never be endangered by sharing accounts. This just leads to suspected troubles later down the way. This is also partly the reason that designated “broken glass accounts” exist. If the engineer or administrator writes down their credentials, then forever more you cannot guarantee that only that person has access to that account. Instead you have guaranteed that is not the case.
This leads to one requirement to always put on “broken glass accounts”. You should require all “broken glass accounts” to have a requirement to change passwords on use if they are domain accounts. This updates the object in Active Directory and therefore begins an audit trail. And after any disaster there is likely to be a review, so bright and clear audit trails are important.
Now traditionally there is a twist to keep things a little more organized. You can keep tiers of accounts. Would I keep all that I list? No, but these are reasonable. I would keep two or three at most. I always start with Enterprise Administrator. Some reasonable tiers are:
- Enterprise Administrator
- Systems Management / System Center Infrastructure Engineer
- Server Operator
- Desktop Administrator
The broken glass account is part of a broader solution of business continuity and disaster recovery, but it is simply basing pre–staged emergency user accounts in secured location that will allow management to access them at need, while not breaking the audit trails. Just remember to keep this solution simple. If you do it will always be effective and reliable if something happens.