Re: Threat vector of running a service using a domain account

[jfvanmeter () comcast net]

Hello, service accounts are a great way to use less privelgee, so yes I think the resk is managable.  I would also add 
deny log on terminal services, and if its not running as a batch job I would also deny that user right. I would also 
make the password random and at least 24 charactors.

are you running windows 2000 or windows 2003? with win2k3 you can also run the service in the context of local service 
or network service you dont' have to run it as system. 

just my two shiny centoves --John

 -------------- Original message ----------------------
From: "Ali, Saqib" <docbook.xml () gmail com>
> i would like to understand the threat vector of using a "dedicated"
> Active Directory account to run a service. Here are some details:
>
> 1) This particular account will have domain admin privileges.
> 2) The account will NOT be used to perform interactive logon to the machines.
> 3) The password for the account will be stored in a safe-box
>
> The brute-force attack risk is mitigated by the fact that the account
> will lockout after X number of unsuccessful attempt. Also any attempt
> to use the account for interactive logon will show up in the audit
> logs.
>
> My questions:
> 1) Is the risk manageable?
> 2) Or should we completely avoid this application?
> 3) Is this kind of scenario common?
> 4) What other popular apps require such domain admin privileges for
> service accounts?
> 5) What other Controls can we put in place to prevent misuse of the account?
>
> saqib
> http://security-basics.blogspot.com/