Security Basics mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Threat vector of running a service using a domain account

From: gjgowey () tmo blackberry net
Date: Wed, 12 Sep 2007 23:40:03 +0000
You could do what SMS does to "bootstrap" a client: have a small client pull files from the server using the machine 
account.  From there on your service can install its self and assign its self a regular domain account that doesn't 
require admin access.  Building something like this could be done relatively simply using a program that generates 
MSI's and then pushed to the systems using ad. 

Geoff

Sent from my BlackBerry wireless handheld.

-----Original Message-----
From: "Ali, Saqib" <docbook.xml () gmail com>

Date: Wed, 12 Sep 2007 07:08:54 
To:"Ramsdell, Scott" <Scott.Ramsdell () cellnet com>
Cc:security-basics <security-basics () securityfocus com>
Subject: Re: Threat vector of running a service using a domain account


Scott,

Thanks for the response.


AD will allow you to mitigate the risk by specifying that the account
can only login to the appropriate server(s).  I assume you knew that,
but it wasn't mentioned, so I'll throw it out there.


Actually client are target of this particular service not servers. The
reasons it puts itself in the Domain Admin group is that it needs
administrative access to the client computers. And since Domain Admin
group is part of the Local Administrator group on all client computers
it works out nicely.

Is there way to specify that the account can only login to client
computers and not servers?

Our last resort was to add the account to Local Administrators group
using GPOs as you mentioned.

saqib
http://security-basics.blogspot.com/
Previous By Date Next
Previous By Thread Next

Current thread: