Security Basics mailing list archives
Re: Threat vector of running a service using a domain account
From: jfvanmeter () comcast net
Date: Wed, 12 Sep 2007 14:53:48 +0000
Sure, what I normally do is place my denies at the domain level.... so I would edit the group policy that is linked to my domain. That way the service account is denied those user rights for my whole domain. to find the deny settings expand computer configuration, windows setting, security settings, local policy, user right assignments, scan down the list and you will see Deny access to this computer from the network Deny logon as a batch job Deney logon locally Deny logon through Terminal Services normally I deny access to this computer from the network, deny logon on locally and deny logon through terminal services. Take Care and Have Fun --John PS if you doing alot of work with gpo's you should check out http://www.gpoguy.com/ -------------- Original message ---------------------- From: "Ali, Saqib" <docbook.xml () gmail com>
Hello, On 9/12/07, jfvanmeter () comcast net <jfvanmeter () comcast net> wrote:Hello, service accounts are a great way to use less privelgee, so yes I thinkthe resk is managable. I would also add deny log on terminal services, and if its not running as a batch job I would also deny that user right. I would also make the password random and at least 24 charactors. Can you please explain how I can deny TS logon and batch job. Thanks saqib http://security-basics.blogspot.com/
Current thread:
- RE: Threat vector of running a service using a domain account, (continued)
- RE: Threat vector of running a service using a domain account Jesse Eaton (Sep 12)
- Re: Threat vector of running a service using a domain account Kurt Buff (Sep 12)
- Re: Threat vector of running a service using a domain account badz (Sep 13)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 12)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: Threat vector of running a service using a domain account gjgowey (Sep 13)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: Threat vector of running a service using a domain account James Fryman (Sep 13)
- Re: Threat vector of running a service using a domain account jfvanmeter (Sep 12)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 12)
- Re: RE: Threat vector of running a service using a domain account levinson_k (Sep 12)
- Re: Threat vector of running a service using a domain account jfvanmeter (Sep 12)
- Re: Re: Threat vector of running a service using a domain account levinson_k (Sep 12)
- Re: Threat vector of running a service using a domain account Jay (Sep 13)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 13)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
- RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 14)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
- RE: Threat vector of running a service using a domain account Roger A. Grimes (Sep 18)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 13)
- RE: Threat vector of running a service using a domain account Ramsdell, Scott (Sep 14)
- Re: Threat vector of running a service using a domain account Ali, Saqib (Sep 14)