Re: Service accounts best practices

From: Ferdie (ferdie_at_sane.rr.com)
Date: 06/16/05 

Date: Wed, 15 Jun 2005 21:09:32 -0700

Agreed.

I'm going to yank their DA privileges, and create a new account such as
DA-username. But, I want to be fully ejumacated about giving them the needs
that they want vs. best practices.

"Karl Levinson, mvp" <levinson_k@despammed.com> wrote in message
news:env5n$gcFHA.2124@TK2MSFTNGP14.phx.gbl...
> They are mistaken. No service account requires local admin or domain
> admin
> privileges, unless possibly the account is intended to create, access or
> otherwise manage accounts. That's what domain admins are for. I would
> want
> to know exactly what it is the accounts or services need to do that
> requires
> domain admin privileges.
>
> Usually people, programmers or software companies claim that administrator
> privileges are required when all that is really needed is some file or
> registry permissions added to a normal user account.
>
>
> "Ferdie" <ferdie@sand.rr.com> wrote in message
> news:u1%23FADgcFHA.456@TK2MSFTNGP09.phx.gbl...
>> Can someone point me to a guide to securing service accounts? I have
>> some
>> accounts that require Domain Admin rights (or so they say), but don't
>> need
>> to log on locally. I'd like to remove that right, so that they don't use
> it
>> to bypass the logical access control. There might be some other issues
> that
>> come up, so I might need a guide.
>>
>> Thanks,
>> Ferdie
>>
>>
>
>

Relevant Pages

  • Re: Discovering Active Direcory shared or Service users account
    ... 5" which is for service account logon. ... user account or "Service" users Account for auditing ... I have domain admin privileges and local access to ...
    (Focus-Microsoft)
  • Re: Authenticating a user on Windows Server 2003
    ... > missing privileges (by privileges I mean rights on the acct i.e. does the ... > client user acct have interactive logon privileges and other necessary ... > Are you able to execute "runas" successfully as the user account (with the ...
    (microsoft.public.platformsdk.security)
  • RE: AcquireCredentialsHandle failures with Least Privilege
    ... to restrict it's privileges, so that if it is compromised ... The process first restricts it's privileges and then sets ... the privileged group account ACLs to DENY ONLY. ... How can I NOT use a privileged LUID, ACL or other ...
    (microsoft.public.platformsdk.security)
  • Re: How to manage user access in FM7 and later
    ... > profiles and then use this groups to assign rights in FMP. ... > personal login system and a users file where a rights manager could ... > Take into account that the delegated rights manager knows nothing ... about everything you can do with homebuilt, individual privileges can be ...
    (comp.databases.filemaker)
  • Re: restricting permissions for services in Win2K
    ... I know that IIS for example requires system level access to ... it runs with any account to which the TCB ("Act as part of the ... privileges are granted. ... I want to run Apache on my Win2K box. ...
    (Focus-Microsoft)