Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Threat vector of running a service using a domain account

From: "Kurt Buff" <kurt.buff () gmail com>
Date: Wed, 12 Sep 2007 13:01:29 -0700
Are the users admins on their own machines? If so, a login script to
add permissions for another group (LocalServiceAccounts, perhaps?)
would work.

Otherwise, a policy to add the AD group to the local Administrators
group would probably work well.

On 9/12/07, Ali, Saqib <docbook.xml () gmail com> wrote:

I can't reveal the name of the application, but it is 3rd party non-MS
application.

The reasons it puts itself in the Domain Admin group is that it needs
administrative access to the client computers. And Domain Admin group
is part of the Local Administrator group on all client computers it
works out nicely.

saqib
http://security-basics.blogspot.com/
Previous By Date Next
Previous By Thread Next

Current thread: