RE: Securing Service Accounts - Good Practices



There are a few things that you can/should do:
- deny local logon if your system will still perform as designed without that option. There is no need to log on to a box from the keyboard with a generic service account - it should be used exclusively by the system.
- complex passwords and segregated custodial control of the password are encouraged.
- regular audit of service accounts, permissions, and assigned executive risk ownership

Much of the rest is specific to your environment.


Sheldon Malm
Director
Security Research and Development
nCircle Network Security

http://blog.ncircle.com

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of J. Oquendo
Sent: Wednesday, September 24, 2008 12:01 PM
To: David Tobias
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Securing Service Accounts - Good Practices

On Wed, 24 Sep 2008, David Tobias wrote:

The grand question here is what is the best practices/guidelines when
encountering this type of solution. Do we remove each service account,
one by one, waiting to see what, if anything, fails and then decide how
to give rights to that account? What about in the future, when creating
and securing new accounts...what are the best guidelines and practices
to go by?

Sort of a difficult question to answer respond to provided
no one know what the environment you're working at is. There
could be limitations to what some will send you in regards
to best practices and guidelines for their industry. E.g.,
are you in an environment where information has to be highly
compartmentalized?

I suggest beginning by getting in touch with your CISO, CSO
and having an assessment and analysis done. You're missing
a large scope in regards to INFORMATION security - don't
let the technological part confuse you. There can be a
large consequence not to mention financial risk of
"waiting to see what fails".

http://technet.microsoft.com/en-us/library/cc773365.aspx

An analysis and BIA will identify what needs to be done
in the best fashion from the business side of things first
where the risks are weighed and decisions would be made to
promote a healthier more secure and robust solution. My
two cents.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
J. Oquendo
SGFA, SGFE, CNDA, CHFI, OSCP

"A good district attorney can indict a ham sandwich
if he wants to ... The accusations harm as much as
the convictions ... they're obviously harmful or it
wouldn't be news.." - John Carter

wget -qO - www.infiltrated.net/sig|perl

http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x3AC173DB