RE: Local Account Vs Domain Account

From: Petta, Tony (Tony.Petta_at_usa.xerox.com)
Date: 01/20/04

  • Next message: thalm: "RE: Local Account Vs Domain Account"
    Date: Tue, 20 Jan 2004 13:42:15 -0500
    To: "'Leon, Mauricio (Toronto)'" <Mauricio.Leon@WatsonWyatt.com>, "'focus-ms@securityfocus.com'" <focus-ms@securityfocus.com>
    
    

    If the component or application only runs on one machine, there may be an
    advantage to using a local account rather than a domain account from a
    performance standpoint. A local account is authenticated by the security
    database on that machine, not on a domain controller which may not be the
    same machine.

    From a security standpoint, the answer depends on the security of the domain
    and its structure versus the security of the local machine. A local machine
    can be locked up physically and logically hardened much more than a domain
    controller which may need to be used by many individuals and thus needs to
    be accessed over the network by many. Even though a domain controller can
    also be physically locked up, evildoers will seek them out much more often
    than a local machine, whose location and address may possibly be kept more
    private.

    Of course if many people are using the application, leaving authentication
    to only the local machine may causes problems which can be resolved by a
    domain account, which can be authenticated over several controllers to
    balance workload.

    Encryption of account information (password) and authentication traffic will
    more likely be able to be strong on a local machine than a domain controller
    which may have to accept less encrypted traffic, too.

    I'm sure others will contribute more to your question, but the answer is
    like many other security questions, it all depends on your circumstances and
    risk you need to accept/mitigate.

    Tony Petta, CISSP, MCSE, CNA
    EDS/Xerox Global Information Assurance

    -----Original Message-----
    From: Leon, Mauricio (Toronto) [mailto:Mauricio.Leon@WatsonWyatt.com]
    Sent: Tuesday, January 20, 2004 10:00 AM
    To: focus-ms@securityfocus.com
    Subject: Local Account Vs Domain Account

    If you have to install a component or an application that runs using an
    account , what are the disadvantages/risks (from security standpoint)of
    using a Domain Account instead of a Local Account and vice versa.

    Mauricio

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------


  • Next message: thalm: "RE: Local Account Vs Domain Account"

    Relevant Pages

    • Risks Digest 25.73
      ... German electronic health card system failure ... Risks of the Cloud: Liquid Motors ... Oakland 2010, IEEE Symposium on Security and Privacy, CFP ... A friend's facebook account was hacked recently (a neat little short-term ...
      (comp.risks)
    • Re: ABN Tape - Found
      ... the previously mentioned work on x9.59 was to use strong authentication ... with account numbers. ... there is a security model called PAIN ...
      (bit.listserv.ibm-main)
    • Re: HTTP 401.3 error: Please help - Urgent.
      ... inability to logon -- when the Security log is full AND you misconfigured ... Is this really WHAT IS CAUSING AUTHENTICATION ... PROBLEMS in my server? ... > Does this have anything to do with the IUSR_Machinename account? ...
      (microsoft.public.inetserver.iis)
    • ASP.NET, role-based security and SecurityPermission.ControlPrincipal
      ... I'm trying to figure out a reasonable security policy for my ASP.NET 1.1 ... securing the authentication chain in ASP.NET forms authentication. ... The COM+ application is configured to runas the account described ... I configure the directory that contains .aspx pages to be writeable only ...
      (microsoft.public.dotnet.security)
    • Re: How to use WindowsPrincipal properly??
      ... > If you want to check if the user is in the local computers security group ... > used by the general public you have to use Basic Authentication of course. ... You can logon a set account ... > WindowsIndentity which is then used to Impersonate. ...
      (microsoft.public.dotnet.framework.aspnet.security)