Re: passwords Service accounts and services

I hadn't considered that, and it would definitely be a lot better for
isolated services, and I would guess that in those cases, the system account
would prob. be the best. I'll give that a shot, thank you. However when
you have several machines with services that need to authenticate before
they can start talking with one another, I can see that causing problems.

That's not the real issue though. The issue I've run into time and time
again is that as soon as you think you've got just the right level of
permissions set for a particular service, inevitably there will be some
functionality that you didn't know to test, and it ends up embarrassing you
during launch because you have a super secure application that half-works.
Fixing it requires downtime which makes you look even worse.

The security expert says "what about test environments?" I remind the
expert that it isn't always possible to test all the variable, esp. with
poorly written and documented applications. Many times you can literally
just ask the company, what the minimum required perms, and they'll tell you,
but I can't tell you how many times I've had blank stares when I start
asking questions like that (and yes I am asking the supposedly correct
people).

Even you have to admit it's rather frustrating. It makes the entire process
of applying the policy of "least privilege" trial and error at best in many
cases.

-P

"Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
news:%23CvhBRUwGHA.5056@xxxxxxxxxxxxxxxxxxxxxxx
It would be a very good start if you could just make these accounts local
administrators and not domain administrators.

It is quite easy for someone with administrator permissions on the server
to dump out service account password. Now instead of being only
administrator on the server he or she is now domain administrator...

--
Mike
Microsoft MVP - Windows Security

"TwistedPair" <twistedpair@xxxxxxxx> wrote in message
news:uMorMKUwGHA.3364@xxxxxxxxxxxxxxxxxxxxxxx


"Miha Pihler [MVP]" <mihap-news@xxxxxxxxxxx> wrote in message
news:uvWwDaSwGHA.1808@xxxxxxxxxxxxxxxxxxxxxxx
Yes, it would be wise to restart the service once you change the
password on the service. You should be able to do this using

sc

command from command line... For more information check out

sc /?

options.

Note: I hope these service accounts do not have excessive permissions in
domain (e.g. domain administrator permissions). :-)

Yeah, working on that one too . . . the difficulty is that applying the
least privilege principle to service accounts adds a layer or two of
complexity to the entire system and may have unforseen consequences down
the line. Especially when something goes wrong. If you or anyone have a
nifty way (other than simple trial and error) to determine the least
amount of privileges a service needs to run under, I'd be really
interested to know.

-P

--
Mike
Microsoft MVP - Windows Security

"TwistedPair" <twistedpair@xxxxxxxx> wrote in message
news:OWr2nwLwGHA.1512@xxxxxxxxxxxxxxxxxxxxxxx
Group,
I need to change a bunch 'o service accounts' passwords, then go to
every service that uses these accounts, and configure their passwords
appropriately. To do this I whipped up a little script that visits
every server in AD and checks the list of services on it. For each
account that I need to change I can tell the script to change that
service's password, however, here's my question . . . I will need to
stop and start that service at that point won't I? My feeling is that
it will continue to run under the old security context (old username
and password) and will eventually lock out the account that it relies
upon. Hopefully I am incorrect, or else, there is some nifty
work-around. Any ideas?

Thanks!
Pair









.

Relevant Pages