Re: Service accounts best practices

From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 06/18/05 

Date: Fri, 17 Jun 2005 22:27:25 -0700

and . . .
   that very small group that do have access to a DA account
should know not to use it when it is not needed, when what
they are doing is accomplishable as say a server local admin. 

-- 
Roger Abell
Microsoft MVP (Windows  Security)
"Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
news:ucqcGe4cFHA.4064@TK2MSFTNGP10.phx.gbl...
> It really doesn't do anything for you. They can simply give themselves the
> rights back.
>
> The only people who should have domain admin rights are the exact people
doing
> domain admin work and it should be a very small group. I had three people
as
> domain admins of a fortune 5 forest consisting of 250k users and about 400
> domain controllers globally distributed. No services had those rights,
they were
> all delegated.
>
> --
> Joe Richards Microsoft MVP Windows Server Directory Services
> www.joeware.net
>
>
> Ferdie wrote:
> > I need to be careful though.  The DB group teaches me nice things like
SQL
> > queries.  I think if I just remove the right to log on locally to any
box,
> > then that would reduce the vulnerability a little.  Its a small step for
> > now, but a huge step in breaking the comfort level.
> >
> > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message
> > news:%23ECPTKtcFHA.456@TK2MSFTNGP09.phx.gbl...
> >
> >>Make them document exactly why they need domain admin. I have done this
> >>dance with several vendors. Generally they say that because they have no
> >>idea what their app needs nor why.
> >>
> >>   joe
> >>
> >>--
> >>Joe Richards Microsoft MVP Windows Server Directory Services
> >>www.joeware.net
> >>
> >>
> >>Ferdie wrote:
> >>
> >>>Can someone point me to a guide to securing service accounts?  I have
> >>>some accounts that require Domain Admin rights (or so they say), but
> >>>don't need to log on locally.  I'd like to remove that right, so that
> >>>they don't use it to bypass the logical access control.  There might be
> >>>some other issues that come up, so I might need a guide.
> >>>
> >>>Thanks,
> >>>Ferdie
> >
> >
> >

Relevant Pages

  • Re: Service accounts best practices
    ... guidance on granting admin accounts. ... >> The only people who should have domain admin rights are the exact people ... >> doing domain admin work and it should be a very small group. ... >>>>Joe Richards Microsoft MVP Windows Server Directory Services ...
    (microsoft.public.win2000.security)
  • Re: Service accounts best practices
    ... The only people who should have domain admin rights are the exact people doing ... >>Joe Richards Microsoft MVP Windows Server Directory Services ... >>Ferdie wrote: ...
    (microsoft.public.win2000.security)
  • Re: Permissions to unlock Administrator account?
    ... Use delegation for everything else. ... The Administrator accounts should have a very long, complex, password, be ... domain admin, and one for general day to day use. ... leaving only the Administrator account there (I ...
    (microsoft.public.windows.server.active_directory)
  • Re: Changing the domain password policy
    ... You could try to look into your AD event logs and check for Successful logons for the domain admin account. ... While the biggest thing to do is make sure you know your environment and what service accounts are used where, eventually you'll find yourself stuck and you just need to make the change and deal with what breaks. ... Time has come to change the domain admin password. ...
    (Security-Basics)
  • Re: Securing workstations from IT guys
    ... It sounds like you have generic domain admin accounts - I'd change that immediately, and create what are called 99 accounts. ... Change all Local Admin passwords so that even IT helpdesk/other doesn't know them. ... Is there an auditing on PC that can be enabled to track/log incoming connections to C$ and pop up and alert whenever someone tries it out from a remote machine. ...
    (Security-Basics)