Re: RE: Threat vector of running a service using a domain account

[levinson_k () securityadmin info]

So, it sounds like you are choosing ease of use over security.

Setting a service account as a DOMAIN administrator account is not common.  It is commonly recommended that you avoid 
this for security reasons.

The main threat vector is that if anyone can compromise the running service, they automatically gain privileges to 
administer every system, including creating new domain accounts.  Domain and local administrator accounts are really 
only REQUIRED if accounts need to be created.  Almost anything else can be done by lesser accounts, given the correct 
privileges.

Whether this is an acceptable risk is entirely up to you, your security needs, the sensitivity of your data and 
systems, etc.

You state that the password will be stored in a safe, but the password will be stored somewhere else on the computer or 
in the application code, or else the service won't be able to give the password to log in.

kind regards,
Karl Levinson
http://securityadmin.info

-----Original Message-----
From: Ali, Saqib

i would like to understand the threat vector of using a "dedicated"
Active Directory account to run a service. Here are some details:

1) This particular account will have domain admin privileges.
2) The account will NOT be used to perform interactive logon to the
machines.
3) The password for the account will be stored in a safe-box

The brute-force attack risk is mitigated by the fact that the account will
lockout after X number of unsuccessful attempt.

The reasons it puts itself in the Domain Admin group is that it needs
administrative access to the client computers. And Domain Admin group is
part of the Local Administrator group on all client computers it works out
nicely.