- Servers, network devices, databases
- High value.
- Mobile -- dynamic IPs.
- Powered on or off.
- Direct-attached or firewalled.
- Every IT asset has sensitive passwords:
- Administrator passwords:
Used to manage each system.
- Service passwords:
Provide security context to service programs.
Allows one application to connect to another.
- Do these passwords ever change?
- Plaintext in configuration files?
- Who knows these passwords? (ex-staff?)
- Audit: who did what?