[unisog] Threat vector of running a service using a domain account
Ali, Saqib
docbook.xml at gmail.com
Wed Sep 12 04:46:42 GMT 2007
i would like to understand the threat vector of using a "dedicated"
Active Directory account to run a service. Here are some details:
1) This particular account will have domain admin privileges.
2) The account will NOT be used to perform interactive logon to the machines.
3) The password for the account will be stored in a safe-box
The brute-force attack risk is mitigated by the fact that the account
will lockout after X number of unsuccessful attempt. Also any attempt
to use the account for interactive logon will show up in the audit
logs.
My questions:
1) Is the risk manageable?
2) Or should we completely avoid this application?
3) Is this kind of scenario common?
4) What other popular apps require such domain admin privileges for
service accounts?
5) What other Controls can we put in place to prevent misuse of the account?
saqib
http://security-basics.blogspot.com/
More information about the unisog
mailing list