Security Basics mailing list archives
RE: Threat vector of running a service using a domain account
From: "Jesse Eaton" <jesse.eaton () gmail com>
Date: Wed, 12 Sep 2007 07:32:06 +0200
What application is this AD service account going to be used for? And why is this service account requiring Domain Admin privileges? I wouldn't recommend that... For instance, I run MSSQL, McAfee ePO, and SharePoint (among others) with an AD service account - but NONE of these accounts are administrators of any type. They simply have the proper permissions set to access/modify their respective database(s) and to start up their respective services on the server... -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ali, Saqib Sent: Monday, September 10, 2007 5:44 AM To: security-basics Subject: Threat vector of running a service using a domain account i would like to understand the threat vector of using a "dedicated" Active Directory account to run a service. Here are some details: 1) This particular account will have domain admin privileges. 2) The account will NOT be used to perform interactive logon to the machines. 3) The password for the account will be stored in a safe-box The brute-force attack risk is mitigated by the fact that the account will lockout after X number of unsuccessful attempt. Also any attempt to use the account for interactive logon will show up in the audit logs. My questions: 1) Is the risk manageable? 2) Or should we completely avoid this application? 3) Is this kind of scenario common? 4) What other popular apps require such domain admin privileges for service accounts? 5) What other Controls can we put in place to prevent misuse of the account? saqib http://security-basics.blogspot.com/
Current thread:
- Threat vector of running a service using a domain account Ali, Saqib (Sep 11)
- RE: Threat vector of running a service using a domain account Jesse Eaton (Sep 12)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- RE: Threat vector of running a service using a domain account Jesse Eaton (Sep 12)
- Re: Threat vector of running a service using a domain account Kurt Buff (Sep 12)
- Re: Threat vector of running a service using a domain account badz (Sep 13)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 12)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: Threat vector of running a service using a domain account gjgowey (Sep 13)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: Threat vector of running a service using a domain account James Fryman (Sep 13)
- <Possible follow-ups>
- Re: Threat vector of running a service using a domain account jfvanmeter (Sep 12)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
(Thread continues...)
- RE: Threat vector of running a service using a domain account Jesse Eaton (Sep 12)