Re: Local Account Vs Domain Account

From: Tod Beardsley (todb_at_planb-security.net)
Date: 01/21/04

  • Next message: Stacy Millions: "RE: Encrypt data - SQL Server 2000" 
    To: focus-ms@securityfocus.com
Date: Wed, 21 Jan 2004 09:38:59 -0600

    Matthew Wagenknecht wrote:
    > Passwords are stored in the registry for accounts that are used for
    > services. You can easily pull them out locally on the machine with
    > LSAdump, etc

    This is, imo, /the/ reason to avoid using powerful domain accounts to
    run local services/applications.

    Matthew also warns:

    > As a side note, do not make the local account part of the
    > Administrators group. This will make remote attacks more difficult.

    Pretty standard advice, and limiting the account to non-Administrator
    levels will limit what an attacker can do once he's compromised the
    application or account. But in reality, many vendors/developers still
    recommend or require the local account be a local administrator.

    At any rate, the attacker needs to be System to read the LSA Secrets
    key. By this point, you've already lost control of the local machine,
    and he's got a more powerful account than the one running your service.

    On the other hand, domain accounts can have advantages; namely, central
    management and auditing. You can also restrict the domain account to be
    able to log in only to the local machine via the user properties, which
    will limit the reach of the attacker should he compromise only this
    account. Others have mentioned restricting the logon types, too, which
    is a good practice.

    In the end, it all depends on how you administer your enterprise. If you
    don't have a significant AD infrastructure and centralized management
    with interesting security policies, then local is probably the way to
    go. If you have 1000s of machines and you read your domain event logs
    routinely for signs of compromise, then domain credentials may be a
    better choice. 

    -- 
"It's okay to yell 'fire' in a crowded theater
if the theater is actually on fire."
Tod Beardsley | www.planb-security.net
---------------------------------------------------------------------------
---------------------------------------------------------------------------
  • Next message: Stacy Millions: "RE: Encrypt data - SQL Server 2000"

    Relevant Pages

    • Re: How to Setup TS User
      ... I'm not sure why you use a dummy account. ... user logs on with personal domain account to local workstation ... Yes all accounts are domain accounts, ... what is the correct process for them to logon ...
      (microsoft.public.windows.terminal_services)
    • Re: Accessing security information from an authentication provider
      ... doesn't seem to work for domain accounts, ... someone disabling or restricting the null account, ... the GetAuthDataForUser only works for machine local ... network shares and such without somehow authenticating to a domain ...
      (microsoft.public.platformsdk.security)
    • RE: strange account in Win2k
      ... These account ID's are usually domain accounts that are not identified ... recognised by the local machine. ...
      (Incidents)
    • Re: Startup account password must be rekeyed after every windows u
      ... I use domain accounts on my servers with no issues... ... What about my group policy or local policy question? ... Steve ... I would expect the local system account to ...
      (microsoft.public.sqlserver.setup)
    • RE: account lockout problems
      ... This occurs only with the domain accounts. ... > The account policy is set to lock the account after 3 logins. ... > Is your problem only with domain accounts or with local accounts as ... >> Do You Yahoo!? ...
      (Focus-Microsoft)