RE: Threat vector of running a service using a domain account

["Jesse Eaton" <jesse.eaton () gmail com>]

Well - it seems like the application wasn't planned out very well (relating
to security, anywayz), if it does indeed REQUIRE administrator privileges on
client machines...

I would look into what's actually required by the application:

-Does it require write access to certain directories on the client PCs?
-Does it require specific registry hive access?

I would then grant this "service account" NTFS access to only these folders,
and hives, etc... Too often, applications state they NEED administrator
privileges (during the install wizard for instance), when in fact they can
be granted specific access to the directories and hives they need to write
to, and they'll stop complaining...

And does this app. actually run as a SERVICE on a Microsoft server? Is it AD
integrated? Does it even NEED to run as a domain account at all?

I guess without knowing anything else about the application/service, these
are the initial questions I'd work through... Good luck...


-----Original Message-----
From: Ali, Saqib [mailto:docbook.xml () gmail com] 
Sent: Wednesday, September 12, 2007 3:59 PM
To: Jesse Eaton
Cc: security-basics
Subject: Re: Threat vector of running a service using a domain account

I can't reveal the name of the application, but it is 3rd party non-MS
application.

The reasons it puts itself in the Domain Admin group is that it needs
administrative access to the client computers. And Domain Admin group is
part of the Local Administrator group on all client computers it works out
nicely.

saqib
http://security-basics.blogspot.com/