Security Basics mailing list archives
Re: Threat vector of running a service using a domain account
From: "Ali, Saqib" <docbook.xml () gmail com>
Date: Wed, 12 Sep 2007 07:08:54 -0700
Scott, Thanks for the response.
AD will allow you to mitigate the risk by specifying that the account can only login to the appropriate server(s). I assume you knew that, but it wasn't mentioned, so I'll throw it out there.
Actually client are target of this particular service not servers. The reasons it puts itself in the Domain Admin group is that it needs administrative access to the client computers. And since Domain Admin group is part of the Local Administrator group on all client computers it works out nicely. Is there way to specify that the account can only login to client computers and not servers? Our last resort was to add the account to Local Administrators group using GPOs as you mentioned. saqib http://security-basics.blogspot.com/
Current thread:
- Threat vector of running a service using a domain account Ali, Saqib (Sep 11)
- RE: Threat vector of running a service using a domain account Jesse Eaton (Sep 12)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- RE: Threat vector of running a service using a domain account Jesse Eaton (Sep 12)
- Re: Threat vector of running a service using a domain account Kurt Buff (Sep 12)
- Re: Threat vector of running a service using a domain account badz (Sep 13)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 12)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: Threat vector of running a service using a domain account gjgowey (Sep 13)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: Threat vector of running a service using a domain account James Fryman (Sep 13)
- <Possible follow-ups>
- Re: Threat vector of running a service using a domain account jfvanmeter (Sep 12)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: RE: Threat vector of running a service using a domain account levinson_k (Sep 12)
- Re: Threat vector of running a service using a domain account jfvanmeter (Sep 12)
- Re: Re: Threat vector of running a service using a domain account levinson_k (Sep 12)
- Re: Threat vector of running a service using a domain account Jay (Sep 13)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 13)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 13)
(Thread continues...)
- RE: Threat vector of running a service using a domain account Jesse Eaton (Sep 12)