Security Basics mailing list archives
Securing Service Accounts - Good Practices
From: "David Tobias" <DTobias () Keenan com>
Date: Wed, 24 Sep 2008 08:43:29 -0700
I'm interested in obtaining some information either from users personal recommendations or from authorized sources on the subject in regards to what are the good practices for creating, managing, and securing service account created in Active Directory. I will give you a scenario that I have gotten involved in: I have been working with a company now for a few years, mostly in a helpdesk style support role, but have worked my way up within the company in helping with certain responsibilities pertaining to security which I enjoy. Getting back to the question at hand, it would appear that previous administrators with the company when being handed the task of creating service accounts for several of our applications and appliances decided to take the easy route (of course, also the most insecure) and assign domain admin privileges to most of these accounts. Needless to say, when I learned of this, I was pretty shocked as to why these accounts would be granted such elevated privileges and have unfiltered access to Active Directory to perform a role that was not in need of such rights. We have been tasked with limiting our domain admin group to only specific infrastructure individuals who need it and removing the service accounts from this group. The problem we are foreseeing is once we remove the service accounts from full access privileges, we are expecting several routines that they were performing to fail. The grand question here is what is the best practices/guidelines when encountering this type of solution. Do we remove each service account, one by one, waiting to see what, if anything, fails and then decide how to give rights to that account? What about in the future, when creating and securing new accounts...what are the best guidelines and practices to go by? Thanks -Dave
Current thread:
- Securing Service Accounts - Good Practices David Tobias (Sep 24)
- Re: Securing Service Accounts - Good Practices J. Oquendo (Sep 24)
- RE: Securing Service Accounts - Good Practices David Tobias (Sep 24)
- RE: Securing Service Accounts - Good Practices Sheldon Malm (Sep 25)
- <Possible follow-ups>
- Re: Securing Service Accounts - Good Practices krymson (Sep 30)
- Re: Securing Service Accounts - Good Practices Chris Barber (Sep 30)
- Re: Securing Service Accounts - Good Practices J. Oquendo (Sep 24)