Security Basics mailing list archives
RE: Threat vector of running a service using a domain account
From: "Jesse Eaton" <jesse.eaton () gmail com>
Date: Wed, 12 Sep 2007 17:22:36 +0200
Well - it seems like the application wasn't planned out very well (relating to security, anywayz), if it does indeed REQUIRE administrator privileges on client machines... I would look into what's actually required by the application: -Does it require write access to certain directories on the client PCs? -Does it require specific registry hive access? I would then grant this "service account" NTFS access to only these folders, and hives, etc... Too often, applications state they NEED administrator privileges (during the install wizard for instance), when in fact they can be granted specific access to the directories and hives they need to write to, and they'll stop complaining... And does this app. actually run as a SERVICE on a Microsoft server? Is it AD integrated? Does it even NEED to run as a domain account at all? I guess without knowing anything else about the application/service, these are the initial questions I'd work through... Good luck... -----Original Message----- From: Ali, Saqib [mailto:docbook.xml () gmail com] Sent: Wednesday, September 12, 2007 3:59 PM To: Jesse Eaton Cc: security-basics Subject: Re: Threat vector of running a service using a domain account I can't reveal the name of the application, but it is 3rd party non-MS application. The reasons it puts itself in the Domain Admin group is that it needs administrative access to the client computers. And Domain Admin group is part of the Local Administrator group on all client computers it works out nicely. saqib http://security-basics.blogspot.com/
Current thread:
- Threat vector of running a service using a domain account Ali, Saqib (Sep 11)
- RE: Threat vector of running a service using a domain account Jesse Eaton (Sep 12)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- RE: Threat vector of running a service using a domain account Jesse Eaton (Sep 12)
- Re: Threat vector of running a service using a domain account Kurt Buff (Sep 12)
- Re: Threat vector of running a service using a domain account badz (Sep 13)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 12)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: Threat vector of running a service using a domain account gjgowey (Sep 13)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: Threat vector of running a service using a domain account James Fryman (Sep 13)
- <Possible follow-ups>
- Re: Threat vector of running a service using a domain account jfvanmeter (Sep 12)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: RE: Threat vector of running a service using a domain account levinson_k (Sep 12)
- Re: Threat vector of running a service using a domain account jfvanmeter (Sep 12)
(Thread continues...)
- RE: Threat vector of running a service using a domain account Jesse Eaton (Sep 12)