RE: Securing Service Accounts - Good Practices

There are a few things that you can/should do:
- deny local logon if your system will still perform as designed without that option. There is no need to log on to a box from the keyboard with a generic service account - it should be used exclusively by the system.
- complex passwords and segregated custodial control of the password are encouraged.
- regular audit of service accounts, permissions, and assigned executive risk ownership

Much of the rest is specific to your environment.

Sheldon Malm
Security Research and Development
nCircle Network Security

-----Original Message-----
From: listbounce@xxxxxxxxxxxxxxxxx [mailto:listbounce@xxxxxxxxxxxxxxxxx] On Behalf Of J. Oquendo
Sent: Wednesday, September 24, 2008 12:01 PM
To: David Tobias
Cc: security-basics@xxxxxxxxxxxxxxxxx
Subject: Re: Securing Service Accounts - Good Practices

On Wed, 24 Sep 2008, David Tobias wrote:

The grand question here is what is the best practices/guidelines when
encountering this type of solution. Do we remove each service account,
one by one, waiting to see what, if anything, fails and then decide how
to give rights to that account? What about in the future, when creating
and securing new accounts...what are the best guidelines and practices
to go by?

Sort of a difficult question to answer respond to provided
no one know what the environment you're working at is. There
could be limitations to what some will send you in regards
to best practices and guidelines for their industry. E.g.,
are you in an environment where information has to be highly

I suggest beginning by getting in touch with your CISO, CSO
and having an assessment and analysis done. You're missing
a large scope in regards to INFORMATION security - don't
let the technological part confuse you. There can be a
large consequence not to mention financial risk of
"waiting to see what fails".

An analysis and BIA will identify what needs to be done
in the best fashion from the business side of things first
where the risks are weighed and decisions would be made to
promote a healthier more secure and robust solution. My
two cents.

J. Oquendo

"A good district attorney can indict a ham sandwich
if he wants to ... The accusations harm as much as
the convictions ... they're obviously harmful or it
wouldn't be news.." - John Carter

wget -qO -|perl

Relevant Pages

  • Re: [Full-Disclosure] DCOM RPC exploit (dcom.c)
    ... ** The r00t of the problem is a failure to follow best practices from ... > server; security HAS to come second to that. ... > As for how many are protected - not enough, which is again a cost issue. ...
  • Its not personal (Was: Re: APACHE$PRIVILEDGED)
    ... As it is a very useful example of UWSS ... Some background on security and privileged application code... ... With OpenVMS constructs including device drivers (or drivers an ... environment -- most anything. ...
    ... The primary security on OpenVMS and on most other multi-processing operating systems is implemented via the memory management system and via what VAX calls the change-mode routines, via the Alpha SRM PALcode change-mode equivalent, or via what the IA-32 and IA-32e architectures refer to as the call gate. ... With OpenVMS constructs including device drivers )and user-written system services (UWSS; also known as privileged shareable images), these constructs operate in inner processor modes. ... One of the more hazardous situations for system security is a mixed environment; where there are resources shared between trusted and untrusted environments. ... Not only will the operation that requires privileges now be permitted, but other and potentially unintended operations can also be permitted. ...
  • Re: Access Control Best Practices for shared hosting seem at odds with Web Site Starters
    ... The practical implementation of security measures is an exercise for the ... reader -- but best practices is not. ... With respect to DotNetNuke and the Community Server, yes, these are not ... > permissions because the app requires it or I use an Access database. ...
  • RE: IDSIPS that can handle one Gig
    ... the need for IPS ... I hear this every now and then from security people, ... I have yet to see an environment (and I am a consultant so I see ... single Microsoft Windows patch. ...