Re: Threat vector of running a service using a domain account
- From: jfvanmeter@xxxxxxxxxxx
- Date: Wed, 12 Sep 2007 14:53:48 +0000
Sure, what I normally do is place my denies at the domain level.... so I would edit the group policy that is linked to my domain. That way the service account is denied those user rights for my whole domain.
to find the deny settings expand computer configuration, windows setting, security settings, local policy, user right assignments, scan down the list and you will see
Deny access to this computer from the network
Deny logon as a batch job
Deney logon locally
Deny logon through Terminal Services
normally I deny access to this computer from the network, deny logon on locally and deny logon through terminal services.
Take Care and Have Fun --John
PS if you doing alot of work with gpo's you should check out http://www.gpoguy.com/
-------------- Original message ----------------------
From: "Ali, Saqib" <docbook.xml@xxxxxxxxx>
Hello,
On 9/12/07, jfvanmeter@xxxxxxxxxxx <jfvanmeter@xxxxxxxxxxx> wrote:
Hello, service accounts are a great way to use less privelgee, so yes I thinkthe resk is managable. I would also add deny log on terminal services, and if
its not running as a batch job I would also deny that user right. I would also
make the password random and at least 24 charactors.
Can you please explain how I can deny TS logon and batch job.
Thanks
saqib
http://security-basics.blogspot.com/
- Prev by Date: Re: FW: Advice regarding servers and Wiping Drives after testing
- Next by Date: RE: Advice regarding servers and Wiping Drives after testing
- Previous by thread: Re: RE: Threat vector of running a service using a domain account
- Next by thread: Re: Re: Threat vector of running a service using a domain account
- Index(es):
Relevant Pages
|
