Security Basics mailing list archives
RE: Threat vector of running a service using a domain account
From: "Ramsdell, Scott" <Scott.Ramsdell () cellnet com>
Date: Wed, 12 Sep 2007 09:43:36 -0400
Saqib, AD will allow you to mitigate the risk by specifying that the account can only login to the appropriate server(s). I assume you knew that, but it wasn't mentioned, so I'll throw it out there. Each time I encountered a vendor that suggested their app required domain admin privs, they were wrong. They actually required admin privs on certain boxes (and that was debatable). So, I made it a habit to create a group named LocalAdminsServerX on the DC, and placed that group in ServerX's local admins group. When a service account required admin privs on a box, I'd drop it into the LocalAdmin group appropriate for the server(s) it needed admin access to. This prevented the account from doing what it needed to without being a domain admin. Of course, this won't work for services that need to run on a domain controller. This solution also allows you to control local admins from AD, as you can monitor changes to the local admins group on your servers and alert if a change is made. Likely, it would be possible to narrow down with the vendor what access/privs were actually required and grant appropriate permissions, rather than accept the default vendor response "it requires domain admin privs". If it isn't creating users, adding machines to the domain, managing AD, etc. then it doesn't require domain admin privs. These suggestions mostly speak to your (5) below, as to your (3), "yes" it is very common for a vendor to not worry at all about their suggestion to you to grant their app full rights within your AD tree. After all, it makes it very easy for them. Kind Regards, Scott Ramsdell -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of Ali, Saqib Sent: Sunday, September 09, 2007 10:44 PM To: security-basics Subject: Threat vector of running a service using a domain account i would like to understand the threat vector of using a "dedicated" Active Directory account to run a service. Here are some details: 1) This particular account will have domain admin privileges. 2) The account will NOT be used to perform interactive logon to the machines. 3) The password for the account will be stored in a safe-box The brute-force attack risk is mitigated by the fact that the account will lockout after X number of unsuccessful attempt. Also any attempt to use the account for interactive logon will show up in the audit logs. My questions: 1) Is the risk manageable? 2) Or should we completely avoid this application? 3) Is this kind of scenario common? 4) What other popular apps require such domain admin privileges for service accounts? 5) What other Controls can we put in place to prevent misuse of the account? saqib http://security-basics.blogspot.com/
Current thread:
- Threat vector of running a service using a domain account Ali, Saqib (Sep 11)
- RE: Threat vector of running a service using a domain account Jesse Eaton (Sep 12)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- RE: Threat vector of running a service using a domain account Jesse Eaton (Sep 12)
- Re: Threat vector of running a service using a domain account Kurt Buff (Sep 12)
- Re: Threat vector of running a service using a domain account badz (Sep 13)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 12)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: Threat vector of running a service using a domain account gjgowey (Sep 13)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: Threat vector of running a service using a domain account James Fryman (Sep 13)
- <Possible follow-ups>
- Re: Threat vector of running a service using a domain account jfvanmeter (Sep 12)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: RE: Threat vector of running a service using a domain account levinson_k (Sep 12)
- Re: Threat vector of running a service using a domain account jfvanmeter (Sep 12)
- Re: Re: Threat vector of running a service using a domain account levinson_k (Sep 12)
- Re: Threat vector of running a service using a domain account Jay (Sep 13)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 13)
(Thread continues...)
- RE: Threat vector of running a service using a domain account Jesse Eaton (Sep 12)