Security Basics mailing list archives
Re: Threat vector of running a service using a domain account
From: "Jay" <jay.tomas () infosecguru com>
Date: Thu, 13 Sep 2007 13:33:59 -0400
One other thing to be cognizant of is the caching of the account and creditionals locally. If a server does cache these creditonals then these can be attacked independant of the AD and its underlying security controls. Jay ----- Original Message ----- From: badz [mailto:smanaois3 () gmail com] To: docbook.xml () gmail com,security-basics () securityfocus com Sent: Fri, 14 Sep 2007 00:26:04 +0800 Subject: Re: Threat vector of running a service using a domain account Hi Saqib, Can you be more specific on the "administrative access" requirements of this account? My two bits, using the account in the manner you have mentioned is rather risky; service accounts normally do not have password expiry and aging. You may want to check and play around with NTRights.exe, SC.exe and SUBINACL.exe when setting the account's privileges as per your requirements (starting services, registry modification, interactive logon rights, network access rights, etc.). I'm not sure if these can help but I normally use them when restricting service accounts on my machines. HTH. Salvador Manaois III On 9/12/07, Ali, Saqib <docbook.xml () gmail com> wrote:
I can't reveal the name of the application, but it is 3rd party non-MS application. The reasons it puts itself in the Domain Admin group is that it needs administrative access to the client computers. And Domain Admin group is part of the Local Administrator group on all client computers it works out nicely. saqib http://security-basics.blogspot.com/
-- Salvador Manaois III smanaois3[at]gmail[dot]com Linux Registered User 373124
Current thread:
- Re: Threat vector of running a service using a domain account, (continued)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 12)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: Threat vector of running a service using a domain account gjgowey (Sep 13)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: Threat vector of running a service using a domain account James Fryman (Sep 13)
- Re: Threat vector of running a service using a domain account jfvanmeter (Sep 12)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: RE: Threat vector of running a service using a domain account levinson_k (Sep 12)
- Re: Threat vector of running a service using a domain account jfvanmeter (Sep 12)
- Re: Re: Threat vector of running a service using a domain account levinson_k (Sep 12)
- Re: Threat vector of running a service using a domain account Jay (Sep 13)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 13)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
- RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 14)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
- RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 18)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 13)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 14)
- RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 14)