[prev in list] [next in list] [prev in thread] [next in thread] 

List:       focus-ms
Subject:    Re: Local Account Vs Domain Account
From:       Tod Beardsley <todb () planb-security ! net>
Date:       2004-01-21 15:38:59
Message-ID: 200401210938.59808.todb () planb-security ! net
[Download RAW message or body]

Matthew Wagenknecht wrote:
> Passwords are stored in the registry for accounts that are used for
> services. You can easily pull them out locally on the machine with
> LSAdump, etc

This is, imo, /the/ reason to avoid using powerful domain accounts to 
run local services/applications. 

Matthew also warns:

> As  a side note, do not make the local account part of the
> Administrators group. This will make remote attacks more difficult.

Pretty standard advice, and limiting the account to non-Administrator 
levels will limit what an attacker can do once he's compromised the 
application or account. But in reality, many vendors/developers still 
recommend or require the local account be a local administrator. 

At any rate, the attacker needs to be System to read the LSA Secrets 
key. By this point, you've already lost control of the local machine, 
and he's got a more powerful account than the one running your service. 

On the other hand, domain accounts can have advantages; namely, central 
management and auditing. You can also restrict the domain account to be 
able to log in only to the local machine via the user properties, which 
will limit the reach of the attacker should he compromise only this 
account. Others have mentioned restricting the logon types, too, which 
is a good practice.

In the end, it all depends on how you administer your enterprise. If you 
don't have a significant AD infrastructure and centralized management 
with interesting security policies, then local is probably the way to 
go. If you have 1000s of machines and you read your domain event logs 
routinely for signs of compromise, then domain credentials may be a 
better choice.

-- 
"It's okay to yell 'fire' in a crowded theater
if the theater is actually on fire."
Tod Beardsley | www.planb-security.net


---------------------------------------------------------------------------
---------------------------------------------------------------------------

[prev in list] [next in list] [prev in thread] [next in thread]