Security Basics mailing list archives
RE: Securing Service Accounts - Good Practices
From: "Sheldon Malm" <smalm () ncircle com>
Date: Wed, 24 Sep 2008 14:51:41 -0700
There are a few things that you can/should do: - deny local logon if your system will still perform as designed without that option. There is no need to log on to a box from the keyboard with a generic service account - it should be used exclusively by the system. - complex passwords and segregated custodial control of the password are encouraged. - regular audit of service accounts, permissions, and assigned executive risk ownership Much of the rest is specific to your environment. Sheldon Malm Director Security Research and Development nCircle Network Security http://blog.ncircle.com -----Original Message----- From: listbounce () securityfocus com [mailto:listbounce () securityfocus com] On Behalf Of J. Oquendo Sent: Wednesday, September 24, 2008 12:01 PM To: David Tobias Cc: security-basics () securityfocus com Subject: Re: Securing Service Accounts - Good Practices On Wed, 24 Sep 2008, David Tobias wrote:
The grand question here is what is the best practices/guidelines when encountering this type of solution. Do we remove each service account, one by one, waiting to see what, if anything, fails and then decide how to give rights to that account? What about in the future, when creating and securing new accounts...what are the best guidelines and practices to go by?
Sort of a difficult question to answer respond to provided no one know what the environment you're working at is. There could be limitations to what some will send you in regards to best practices and guidelines for their industry. E.g., are you in an environment where information has to be highly compartmentalized? I suggest beginning by getting in touch with your CISO, CSO and having an assessment and analysis done. You're missing a large scope in regards to INFORMATION security - don't let the technological part confuse you. There can be a large consequence not to mention financial risk of "waiting to see what fails". http://technet.microsoft.com/en-us/library/cc773365.aspx An analysis and BIA will identify what needs to be done in the best fashion from the business side of things first where the risks are weighed and decisions would be made to promote a healthier more secure and robust solution. My two cents. =+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+ J. Oquendo SGFA, SGFE, CNDA, CHFI, OSCP "A good district attorney can indict a ham sandwich if he wants to ... The accusations harm as much as the convictions ... they're obviously harmful or it wouldn't be news.." - John Carter wget -qO - www.infiltrated.net/sig|perl http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB
Current thread:
- Securing Service Accounts - Good Practices David Tobias (Sep 24)
- Re: Securing Service Accounts - Good Practices J. Oquendo (Sep 24)
- RE: Securing Service Accounts - Good Practices David Tobias (Sep 24)
- RE: Securing Service Accounts - Good Practices Sheldon Malm (Sep 25)
- <Possible follow-ups>
- Re: Securing Service Accounts - Good Practices krymson (Sep 30)
- Re: Securing Service Accounts - Good Practices Chris Barber (Sep 30)
- Re: Securing Service Accounts - Good Practices J. Oquendo (Sep 24)