I thought that would get some attention.
I need to tighten up Windchill security because there appears to be an issue with administrator passwords being changed. I believe I know who is doing it, but don’t know why they would, and I can’t yet prove it. I would like to document who is doing it. If that is not possible, I would like to eliminate any chance that it is being done through a “back door” and lock down that access. Can I simply change the password for the “other system”, or would that cause issues in other places? We are not using Active Directory. If I shouldn’t change that password, what other ways are there to improve security and verify how this is happening? Thanks!
we had similar problem like you before a short time. Our IT person changed system admin password without any knowledge what can happend. After this change started problems.
- wt.backup script (aplication from David Davidson) that we use for backup was broken, because admin password was changed
- wt.backup script was generating error logs file during whole night (totaly 25k files). When harddisk was full (2MB rest) so it was stoped
- second day morning l started Creo parametric and it told me: "l can´t start Windchill, contact your admin".
- password was changed
- EVERYONE knows new password
- no better security
- problems with backup settings
In our company EVERYONE knows system admin password.
Everyone can install whichever freeware program on his local station.
Everyone can change everything in his computer ---> config.SUP in TEXT directory, that should be Creo parametric company standard config can be changed als everyone whish ---> company standards are broken. Afterwards everyone cryies: "Why it doesn´t work?"
System admin password should know only 2-3 responsible persons. Depend on company size.
You can enable auditing for password changes in Windchill. See this article: https://support.ptc.com/appserver/cs/view/solution.jsp?n=CS191950
Here is the section in the help documentation (Configuring Audit Event Recording):
This won't catch someone making changes directly in the LDAP, but I wouldn't be surprised if there isn't something in those logs as well.
The best option to follow is disable all privileged generic accounts.
Provide individual user accounts specific permissions which is needed to get the task done. If we have to track down who is doing what, we would need specific user accounts to perform privileged actions