Re: Service accounts best practices
From: Roger Abell (mvpNOSpam_at_asu.edu)
Date: 06/18/05
- Previous message: Roger Abell: "Re: Service accounts best practices"
- In reply to: Ferdie: "Re: Service accounts best practices"
- Next in thread: Roger Abell: "Re: Service accounts best practices"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 17 Jun 2005 22:30:45 -0700
I have to fire up the laptop later, download and do some reading,
but I just receive a listing of new guidance getting published on
ms.com from the Patterns and Practices group, and one by its
abstract sounds like just what you may be looking for, to effect
guidance on granting admin accounts. I will post back after I
review a little if it fits . . . but you are right, there are lots of
mentions but not a great place to point an mgmt type nose.
-- Roger Abell Microsoft MVP (Windows Security) "Ferdie" <ferdie@sand.rr.com> wrote in message news:OBUMNC5cFHA.2696@TK2MSFTNGP09.phx.gbl... > Don't get me wrong, I'd like to get there. But how long did it take you? I > guess it would help to start off that way. > I think I need a guide specifically targeting all of the resistance that I'm > about to hit. I can't seem to find the right one. > > "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message > news:ucqcGe4cFHA.4064@TK2MSFTNGP10.phx.gbl... > > It really doesn't do anything for you. They can simply give themselves the > > rights back. > > > > The only people who should have domain admin rights are the exact people > > doing domain admin work and it should be a very small group. I had three > > people as domain admins of a fortune 5 forest consisting of 250k users and > > about 400 domain controllers globally distributed. No services had those > > rights, they were all delegated. > > > > -- > > Joe Richards Microsoft MVP Windows Server Directory Services > > www.joeware.net > > > > > > Ferdie wrote: > >> I need to be careful though. The DB group teaches me nice things like > >> SQL queries. I think if I just remove the right to log on locally to any > >> box, then that would reduce the vulnerability a little. Its a small step > >> for now, but a huge step in breaking the comfort level. > >> > >> "Joe Richards [MVP]" <humorexpress@hotmail.com> wrote in message > >> news:%23ECPTKtcFHA.456@TK2MSFTNGP09.phx.gbl... > >> > >>>Make them document exactly why they need domain admin. I have done this > >>>dance with several vendors. Generally they say that because they have no > >>>idea what their app needs nor why. > >>> > >>> joe > >>> > >>>-- > >>>Joe Richards Microsoft MVP Windows Server Directory Services > >>>www.joeware.net > >>> > >>> > >>>Ferdie wrote: > >>> > >>>>Can someone point me to a guide to securing service accounts? I have > >>>>some accounts that require Domain Admin rights (or so they say), but > >>>>don't need to log on locally. I'd like to remove that right, so that > >>>>they don't use it to bypass the logical access control. There might be > >>>>some other issues that come up, so I might need a guide. > >>>> > >>>>Thanks, > >>>>Ferdie > >> > >> >
- Previous message: Roger Abell: "Re: Service accounts best practices"
- In reply to: Ferdie: "Re: Service accounts best practices"
- Next in thread: Roger Abell: "Re: Service accounts best practices"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
