RE: Service Password
From: k levinson (levinson_k_at_yahoo.com)
Date: 07/11/05
- Previous message: John Madden: "Service Password"
- Maybe in reply to: John Madden: "Service Password"
- Next in thread: Augusto Paes de Barros: "Re: Service Password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 11 Jul 2005 09:57:46 -0700 (PDT) To: focus-ms@securityfocus.com
> -----Original Message-----
> From: John Madden [mailto:chiwawa999@yahoo.com]
>
> I have a few concerns about windows service
password.
> Some services our client uses utilized Domain Admin
> accounts. The servers are Windows 2003.
>
> Is it something similar to "Cache Credentials" ?
Were are they located ?
Allow me to suggest that the location of the
credentials is NOT the security problem I would worry
about here. Because anyone that can retrieve the
services account has already compromised the box and
can retrieve those or other authentication credentials
or useful information by sniffing, by attacking the
SAM, etc. etc.
The security problem is that service accounts should
almost never be Domain Admins. Are those services
creating new Windows domain accounts? Or doing
Windows domain account administration? Probably not.
That's pretty much the only legitimate reason for
making an account a domain admin.
If that service needs to be able to authenticate with
other systems, it's going to need a service account.
Whether that account is local or domain does not
matter all that much. Using a domain account for a
service account can be good security, however, because
it helps you centrally manage that account and
password more easily, including changing the password
from time to time.
There are many good reasons for justifying making a
service account a domain account. There are way fewer
reasons justifying making a service account a Domain
Admin account. So, I would recommend looking at the
permissions and not how and where the credentials are
cached.
The reason why many programs and services are given
local or domain admin privileges is pure sloppiness,
laziness, lack of education or lack of good
documentation from the vendor. I would definitely
challenge the need for the service to be domain admin
- ask for a good specific reason. Ask the vendor or
programmer to give you a documented configuration that
does not require admin rights. Or, if necessary, run
tools like filemon, regmon and maybe process explorer,
all free from www.sysinternals.com, while running the
service as a normal user to determine what rights are
lacking, and then grant those rights.
If you still really want to know where the credentials
are cached, www.google.com should tell you.
__________________________________
Yahoo! Mail
Stay connected, organized, and protected. Take the tour:
http://tour.mail.yahoo.com/mailtour.html
---------------------------------------------------------------------------
---------------------------------------------------------------------------
- Previous message: John Madden: "Service Password"
- Maybe in reply to: John Madden: "Service Password"
- Next in thread: Augusto Paes de Barros: "Re: Service Password"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
