Re: Threat vector of running a service using a domain account

One other thing to be cognizant of is the caching of the account and creditionals locally.

If a server does cache these creditonals then these can be attacked independant of the AD and its underlying security controls.

Jay

----- Original Message -----
From: badz [mailto:smanaois3@xxxxxxxxx]
To: docbook.xml@xxxxxxxxx,security-basics@xxxxxxxxxxxxxxxxx
Sent: Fri, 14 Sep 2007 00:26:04 +0800
Subject: Re: Threat vector of running a service using a domain account

Hi Saqib,

Can you be more specific on the "administrative access" requirements
of this account? My two bits, using the account in the manner you have
mentioned is rather risky; service accounts normally do not have
password expiry and aging.

You may want to check and play around with NTRights.exe, SC.exe and
SUBINACL.exe when setting the account's privileges as per your
requirements (starting services, registry modification, interactive
logon rights, network access rights, etc.). I'm not sure if these can
help but I normally use them when restricting service accounts on my
machines.

HTH.

Salvador Manaois III

On 9/12/07, Ali, Saqib <docbook.xml@xxxxxxxxx> wrote:
I can't reveal the name of the application, but it is 3rd party non-MS
application.

The reasons it puts itself in the Domain Admin group is that it needs
administrative access to the client computers. And Domain Admin group
is part of the Local Administrator group on all client computers it
works out nicely.

saqib
http://security-basics.blogspot.com/



--
Salvador Manaois III

smanaois3[at]gmail[dot]com
Linux Registered User 373124

Relevant Pages

  • Re: Threat vector of running a service using a domain account
    ... Can you be more specific on the "administrative access" requirements ... using the account in the manner you have ... help but I normally use them when restricting service accounts on my ... The reasons it puts itself in the Domain Admin group is that it needs ...
    (Security-Basics)
  • RE: Using ADMT to migrate service accounts on workstations
    ... The problem is that service account migration wizard would need every ... you are correct that ADMT does not copy the service ... it is recommended to query the service accounts with ADMT - ...
    (microsoft.public.windows.server.migration)
  • Re: ADMT V3 - Service Account Migration
    ... The account name is invalid or does not exist, ... is...ADMT creates the service account on DCx while the server is looking at ... > Please see the following extract from the migration log. ... >>> service accounts and have identified all service accounts that run ...
    (microsoft.public.windows.server.active_directory)
  • Re: Purpose of "Authenticated Users"
    ... the network so your fear about that is unfounded. ... rights on their machines. ... If you need to have a service account accessing ... These service accounts and their passwords need to be protected of course ...
    (microsoft.public.windows.server.security)
  • Re: Pivot Table + OLAP authentication (IIS + impersonate)
    ... Or just add a calculated measure to the sales cube with the ... OWC does not see OLAP cubes. ... > add this account to the olap administrators group). ... > Once the asp.net service accounts is added to the olap administrators ...
    (microsoft.public.office.developer.web.components)