[prev in list] [next in list] [prev in thread] [next in thread]
List: focus-ms
Subject: Re: Local Account Vs Domain Account
From: Tod Beardsley <todb () planb-security ! net>
Date: 2004-01-21 15:38:59
Message-ID: 200401210938.59808.todb () planb-security ! net
[Download RAW message or body]
Matthew Wagenknecht wrote:
> Passwords are stored in the registry for accounts that are used for
> services. You can easily pull them out locally on the machine with
> LSAdump, etc
This is, imo, /the/ reason to avoid using powerful domain accounts to
run local services/applications.
Matthew also warns:
> As a side note, do not make the local account part of the
> Administrators group. This will make remote attacks more difficult.
Pretty standard advice, and limiting the account to non-Administrator
levels will limit what an attacker can do once he's compromised the
application or account. But in reality, many vendors/developers still
recommend or require the local account be a local administrator.
At any rate, the attacker needs to be System to read the LSA Secrets
key. By this point, you've already lost control of the local machine,
and he's got a more powerful account than the one running your service.
On the other hand, domain accounts can have advantages; namely, central
management and auditing. You can also restrict the domain account to be
able to log in only to the local machine via the user properties, which
will limit the reach of the attacker should he compromise only this
account. Others have mentioned restricting the logon types, too, which
is a good practice.
In the end, it all depends on how you administer your enterprise. If you
don't have a significant AD infrastructure and centralized management
with interesting security policies, then local is probably the way to
go. If you have 1000s of machines and you read your domain event logs
routinely for signs of compromise, then domain credentials may be a
better choice.
--
"It's okay to yell 'fire' in a crowded theater
if the theater is actually on fire."
Tod Beardsley | www.planb-security.net
---------------------------------------------------------------------------
---------------------------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic