Security Basics mailing list archives

Re: Threat vector of running a service using a domain account

From: jfvanmeter () comcast net
Date: Wed, 12 Sep 2007 14:53:48 +0000

Sure, what I normally do is place my denies at the domain level.... so I would edit the group policy that is linked to 
my domain. That way the service account is denied those user rights for my whole domain.

to find the deny settings expand computer configuration, windows setting, security settings, local policy, user right 
assignments, scan down the list and you will see

Deny access to this computer from the network
Deny logon as a batch job
Deney logon locally
Deny logon through Terminal Services

normally I deny access to this computer from the network, deny logon on locally and deny logon through terminal 
services.


Take Care and Have Fun --John

PS if you doing alot of work with gpo's you should check out http://www.gpoguy.com/ 

 -------------- Original message ----------------------
From: "Ali, Saqib" <docbook.xml () gmail com>

Hello,

On 9/12/07, jfvanmeter () comcast net <jfvanmeter () comcast net> wrote:

Hello, service accounts are a great way to use less privelgee, so yes I think

the resk is managable.  I would also add deny log on terminal services, and if 
its not running as a batch job I would also deny that user right. I would also 
make the password random and at least 24 charactors.

Can you please explain how I can deny TS logon and batch job.

Thanks
saqib
http://security-basics.blogspot.com/

Current thread:

RE: Threat vector of running a service using a domain account, (continued)
- - - RE: Threat vector of running a service using a domain account Jesse Eaton (Sep 12)
    - Re: Threat vector of running a service using a domain account Kurt Buff (Sep 12)
    - Re: Threat vector of running a service using a domain account badz (Sep 13)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 12)
  - Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
    - Re: Threat vector of running a service using a domain account gjgowey (Sep 13)
- Re: Threat vector of running a service using a domain account James Fryman (Sep 13)
- Re: Threat vector of running a service using a domain account jfvanmeter (Sep 12)
  - Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: RE: Threat vector of running a service using a domain account levinson_k (Sep 12)
- Re: Threat vector of running a service using a domain account jfvanmeter (Sep 12)
- Re: Re: Threat vector of running a service using a domain account levinson_k (Sep 12)
- Re: Threat vector of running a service using a domain account Jay (Sep 13)
  - Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 13)
    - RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
    - RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 14)
    - RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
    - RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 18)
- RE: Threat vector of running a service using a domain account Jay (Sep 14)
  - RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
    - Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 14)

(Thread continues...)