Re: Securing Service Accounts - Good Practices
- From: "Chris Barber" <cmbarber@xxxxxxxxx>
- Date: Tue, 30 Sep 2008 13:25:43 -0700
h) Name your service accounts descriptively. Make sure the actual
logon reflects something about what it is used for. In my company we
name things kinda like PRSVCWEBIISMailSend. This tells me it is
production, a service account, part of the web application, and is
likely the IIS SMTP account. This is just a fictional example, but
does stay very descriptive.
This is just my humble opinion, but in the past I have always asked
that service accounts be named just like any other user account on the
system, just with a semi-descriptive fictional name.
User Names - fred.jones, sam.templeton, peter.parker
Admin Names - jesse.henderson, mike.rodriguez, paula.samson
Service Names - randy.oracle, beth.mcmail, thomas.webster
Additional documenation would then go in the description field and
other offline documentation.
If the account database were ever enumerated from the top the service
accounts would blend in with all of the rest. If the service account,
along with any other account all look the same to an outsider (of the
IT Staff) then there is no obvious account to single out and attack.
Documentation is very key, and should remain offline or encrypted, or both.
This is just my 2 cents worth.
- Prev by Date: Terminal services
- Next by Date: Re: Open Source Web Content/URL Filter
- Previous by thread: Terminal services
- Next by thread: Re: Re: Securing Service Accounts - Good Practices