Security Basics mailing list archives
Re: Securing Service Accounts - Good Practices
From: "Chris Barber" <cmbarber () gmail com>
Date: Tue, 30 Sep 2008 13:25:43 -0700
<-SNIP-> h) Name your service accounts descriptively. Make sure the actual logon reflects something about what it is used for. In my company we name things kinda like PRSVCWEBIISMailSend. This tells me it is production, a service account, part of the web application, and is likely the IIS SMTP account. This is just a fictional example, but does stay very descriptive. <-SNIP-> This is just my humble opinion, but in the past I have always asked that service accounts be named just like any other user account on the system, just with a semi-descriptive fictional name. Example: User Names - fred.jones, sam.templeton, peter.parker Admin Names - jesse.henderson, mike.rodriguez, paula.samson Service Names - randy.oracle, beth.mcmail, thomas.webster Additional documenation would then go in the description field and other offline documentation. If the account database were ever enumerated from the top the service accounts would blend in with all of the rest. If the service account, along with any other account all look the same to an outsider (of the IT Staff) then there is no obvious account to single out and attack. Documentation is very key, and should remain offline or encrypted, or both. This is just my 2 cents worth. Chris.
Current thread:
- Securing Service Accounts - Good Practices David Tobias (Sep 24)
- Re: Securing Service Accounts - Good Practices J. Oquendo (Sep 24)
- RE: Securing Service Accounts - Good Practices David Tobias (Sep 24)
- RE: Securing Service Accounts - Good Practices Sheldon Malm (Sep 25)
- <Possible follow-ups>
- Re: Securing Service Accounts - Good Practices krymson (Sep 30)
- Re: Securing Service Accounts - Good Practices Chris Barber (Sep 30)
- Re: Securing Service Accounts - Good Practices J. Oquendo (Sep 24)