[unisog] Threat vector of running a service using a domain account
Gaddis, Jeremy L.
jeremy at linuxwiz.net
Thu Sep 13 01:11:33 GMT 2007
On 9/12/07, Ali, Saqib <docbook.xml at gmail.com> wrote:
> i would like to understand the threat vector of using a "dedicated"
> Active Directory account to run a service. Here are some details:
>
> 1) This particular account will have domain admin privileges.
I'd look into whether you can delegate *some* permissions to the
account. Most of the time applications/software that "need domain
admin privileges" don't really.
> 3) The password for the account will be stored in a safe-box
And also on the machine the application is running on, as Windows will
need the credentials of the "user" in order to start the service as
that "user".
> My questions:
> 1) Is the risk manageable?
Depends entirely on what a domain admin in your environment has access
to/can do. A manageable risk in your environment may not be a
manageable risk in my environment.
> 5) What other Controls can we put in place to prevent misuse of the account?
Delegate out the permissions it actually requires instead of giving it
full blown domain admin privileges (e.g. does it *really* need to be
able to reset your CEO's password or access his mailbox)?
--
Jeremy L. Gaddis
http://www.jeremygaddis.com/
More information about the unisog
mailing list