Re: Service accounts best practices

From: Ferdie (ferdie_at_sand.rr.com)
Date: 06/18/05 

Date: Fri, 17 Jun 2005 16:01:51 -0700

Don't get me wrong, I'd like to get there. But how long did it take you? I
guess it would help to start off that way.
I think I need a guide specifically targeting all of the resistance that I'm
about to hit. I can't seem to find the right one.

"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:ucqcGe4cFHA.4064@TK2MSFTNGP10.phx.gbl...
> It really doesn't do anything for you. They can simply give themselves the
> rights back.
>
> The only people who should have domain admin rights are the exact people
> doing domain admin work and it should be a very small group. I had three
> people as domain admins of a fortune 5 forest consisting of 250k users and
> about 400 domain controllers globally distributed. No services had those
> rights, they were all delegated.
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Ferdie wrote:
>> I need to be careful though. The DB group teaches me nice things like
>> SQL queries. I think if I just remove the right to log on locally to any
>> box, then that would reduce the vulnerability a little. Its a small step
>> for now, but a huge step in breaking the comfort level.
>>
>> "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
>> news:%23ECPTKtcFHA.456@TK2MSFTNGP09.phx.gbl...
>>
>>>Make them document exactly why they need domain admin. I have done this
>>>dance with several vendors. Generally they say that because they have no
>>>idea what their app needs nor why.
>>>
>>> joe
>>>
>>>--
>>>Joe Richards Microsoft MVP Windows Server Directory Services
>>>www.joeware.net
>>>
>>>
>>>Ferdie wrote:
>>>
>>>>Can someone point me to a guide to securing service accounts? I have
>>>>some accounts that require Domain Admin rights (or so they say), but
>>>>don't need to log on locally. I'd like to remove that right, so that
>>>>they don't use it to bypass the logical access control. There might be
>>>>some other issues that come up, so I might need a guide.
>>>>
>>>>Thanks,
>>>>Ferdie
>>
>>

Relevant Pages

  • Re: The following updates were not installed
    ... >> The user rights that are required by Update.exe ... >>> Administrator of this local machine. ... > and not the 'domain-level settings'? ... you would have to log on as a Domain Admin in order to do that (again, ...
    (microsoft.public.windowsupdate)
  • Re: Admin Acct
    ... I understand your co. position on security. ... > SMS without Domain Admin rights. ... >> wants to use advanced security, local admin rights and no domain admin ...
    (microsoft.public.sms.admin)
  • Re: Service accounts best practices
    ... > Thanks for the war story Joe. ... >> generic Domain Admin IDs that were known to an unknown number of people ... >> with DA rights. ... >> wouldn't be run on the domain controllers and they weren't. ...
    (microsoft.public.win2000.security)
  • Re: Service accounts best practices
    ... guidance on granting admin accounts. ... >> The only people who should have domain admin rights are the exact people ... >> doing domain admin work and it should be a very small group. ... >>>>Joe Richards Microsoft MVP Windows Server Directory Services ...
    (microsoft.public.win2000.security)
  • RE: Domain Admin access on only a few servers??
    ... delegate only those rights to it that they specify they require. ... Definitely avoid giving domain admins to a service account if you can avoid ... why do they need Domain Admin rights? ...
    (microsoft.public.windows.server.active_directory)