Security Basics mailing list archives

Re: Threat vector of running a service using a domain account

From: James Fryman <james () frymanet com>
Date: Thu, 13 Sep 2007 07:58:27 -0500

Ali, Saqib wrote:

i would like to understand the threat vector of using a "dedicated"
Active Directory account to run a service. Here are some details:

1) This particular account will have domain admin privileges.
2) The account will NOT be used to perform interactive logon to the machines.
3) The password for the account will be stored in a safe-box

The brute-force attack risk is mitigated by the fact that the account
will lockout after X number of unsuccessful attempt. Also any attempt
to use the account for interactive logon will show up in the audit
logs.

My questions:
1) Is the risk manageable?
2) Or should we completely avoid this application?
3) Is this kind of scenario common?
4) What other popular apps require such domain admin privileges for
service accounts?
5) What other Controls can we put in place to prevent misuse of the account?

saqib
http://security-basics.blogspot.com/


Some very good points have been made here already, but it seems as if
the availability aspect has been overlooked.

An important point to factor into your risk assessment here is your
comment on brute-force attacks. If your application is using this domain
account, and an attacker is attempting to brute-force the application,
you will get your audit, but your application could possibly stop working.

Furthermore, it is entirely possible to limit the scope of Domain Admins
by delving into the documents a little deeper to determine what it
needs. If it need client access, then create a group and have GPO
populate that group to the various clients. Unless you need this
application to manage AD in any way (users, computers, possibly schema
depending on the design of AD), then delve a little deeper and create
the necessary permissions required. Furthermore, limit the scope of the
account by denying local logon rights and terminal service rights via
Group Policy.

Good luck!

-James

-- 
-------------
James Fryman

Current thread:

Threat vector of running a service using a domain account Ali, Saqib (Sep 11)
- RE: Threat vector of running a service using a domain account Jesse Eaton (Sep 12)
  - Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
    - RE: Threat vector of running a service using a domain account Jesse Eaton (Sep 12)
    - Re: Threat vector of running a service using a domain account Kurt Buff (Sep 12)
    - Re: Threat vector of running a service using a domain account badz (Sep 13)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 12)
  - Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
    - Re: Threat vector of running a service using a domain account gjgowey (Sep 13)
- Re: Threat vector of running a service using a domain account James Fryman (Sep 13)
- <Possible follow-ups>
- Re: Threat vector of running a service using a domain account jfvanmeter (Sep 12)
  - Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: RE: Threat vector of running a service using a domain account levinson_k (Sep 12)
- Re: Threat vector of running a service using a domain account jfvanmeter (Sep 12)
- Re: Re: Threat vector of running a service using a domain account levinson_k (Sep 12)
- Re: Threat vector of running a service using a domain account Jay (Sep 13)
  - Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 13)
    - RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
    - RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 14)
    - RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)

(Thread continues...)