Security Basics mailing list archives
Re: RE: Threat vector of running a service using a domain account
From: levinson_k () securityadmin info
Date: 12 Sep 2007 17:54:46 -0000
So, it sounds like you are choosing ease of use over security. Setting a service account as a DOMAIN administrator account is not common. It is commonly recommended that you avoid this for security reasons. The main threat vector is that if anyone can compromise the running service, they automatically gain privileges to administer every system, including creating new domain accounts. Domain and local administrator accounts are really only REQUIRED if accounts need to be created. Almost anything else can be done by lesser accounts, given the correct privileges. Whether this is an acceptable risk is entirely up to you, your security needs, the sensitivity of your data and systems, etc. You state that the password will be stored in a safe, but the password will be stored somewhere else on the computer or in the application code, or else the service won't be able to give the password to log in. kind regards, Karl Levinson http://securityadmin.info -----Original Message----- From: Ali, Saqib i would like to understand the threat vector of using a "dedicated" Active Directory account to run a service. Here are some details: 1) This particular account will have domain admin privileges. 2) The account will NOT be used to perform interactive logon to the machines. 3) The password for the account will be stored in a safe-box The brute-force attack risk is mitigated by the fact that the account will lockout after X number of unsuccessful attempt. The reasons it puts itself in the Domain Admin group is that it needs administrative access to the client computers. And Domain Admin group is part of the Local Administrator group on all client computers it works out nicely.
Current thread:
- Re: Threat vector of running a service using a domain account, (continued)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- RE: Threat vector of running a service using a domain account Jesse Eaton (Sep 12)
- Re: Threat vector of running a service using a domain account Kurt Buff (Sep 12)
- Re: Threat vector of running a service using a domain account badz (Sep 13)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 12)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: Threat vector of running a service using a domain account gjgowey (Sep 13)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: Threat vector of running a service using a domain account James Fryman (Sep 13)
- Re: Threat vector of running a service using a domain account jfvanmeter (Sep 12)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: RE: Threat vector of running a service using a domain account levinson_k (Sep 12)
- Re: Threat vector of running a service using a domain account jfvanmeter (Sep 12)
- Re: Re: Threat vector of running a service using a domain account levinson_k (Sep 12)
- Re: Threat vector of running a service using a domain account Jay (Sep 13)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 13)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
- RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 14)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
- RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 18)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 13)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)