Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Threat vector of running a service using a domain account

From: badz <smanaois3 () gmail com>
Date: Fri, 14 Sep 2007 00:26:04 +0800
Hi Saqib,

Can you be more specific on the "administrative access" requirements
of this account? My two bits, using the account in the manner you have
mentioned is rather risky; service accounts normally do not have
password expiry and aging.

You may want to check and play around with NTRights.exe, SC.exe and
SUBINACL.exe when setting the account's privileges as per your
requirements (starting services, registry modification, interactive
logon rights, network access rights, etc.). I'm not sure if these can
help but I normally use them when restricting service accounts on my
machines.

HTH.

Salvador Manaois III

On 9/12/07, Ali, Saqib <docbook.xml () gmail com> wrote:

I can't reveal the name of the application, but it is 3rd party non-MS
application.

The reasons it puts itself in the Domain Admin group is that it needs
administrative access to the client computers. And Domain Admin group
is part of the Local Administrator group on all client computers it
works out nicely.

saqib
http://security-basics.blogspot.com/




-- 
Salvador Manaois III

smanaois3[at]gmail[dot]com
Linux Registered User 373124
Previous By Date Next
Previous By Thread Next

Current thread: