Proper Rights

[WooYing]

Hi All

Just wanted to get everyone opinion on whether or not I should
set this up the right way. I have an account which should only be used for
Services on the servers. The problem is that these some Services require
Domain Admin account. So we don't want the users to login with this
account. We want the users to use their own account but at the same time
give them the username and password for that account just to startup
Services.

So this is what I had in mind, create a Service Admin account
but disable interactive logon then run a GPO on each server giving them
rights to startup the service that needs the Service Admin account. Granted
each server is different and I might have to run a local GPO on those boxes.

Or go with Security Configuration and Analysis tool. Then do it
from there? What are your thoughts? Thanks

 

[Paul Bergson [MVP-DS]]

I wouldn't give any user the user name and password to an admin account.
That account is for admins only, no exceptions. You can set all the rules
you want a user can go to a different box and logon under that used id and
password. You should be logging onto that box (RDP) and creating the setup
and the code executing should not be available to anybody but the admins.

Secondly, why would you need to use a domain admin account? If you set this
up and grant them the ability for this service to run as an admin and they
have access to the code running, they can setup most anything and elevate
privleges for themselves. This whole scenario is setup for you to have
someone run malicous code.

This layout is just a disaster waiting to happen.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jorge Silva]

Hi
As Paul already said, don't do that, post here why exactly you need to that,
and maybe we can help you out with that.
If your purpose is some crappy app that needs Admin Access, my advise to you
is... throw that app away, or talk with the developers and tell them that
isn't possible and that they need to change that requirement.
--
*************************************************
I hope that the information above helps you
Good Luck

Jorge Silva

MCSA + Exchange + MSCE
*************************************************

 

[Jorge de Almeida Pinto [MVP - DS]]

I always create a group like DENYLogonForSVCAccounts, make ALL service
accounts a member of that group and then configure that group with the user
rights Deny logon locally and deny logon through TS.

However, some apps NEED the logon locally user right. The way to find out is
to first configure with deny logon locally and test if every works correctly

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx

 

[WooYing]

Jorge and Paul, thanks for the input and I totally agree with what your
saying. Here the problem, the place where I am at now, has a bunch of share
folders which is not accessable by one account that is why they need a
service admin account to access this. In the future when I get a list of
share folders which this service admin is access I will then change the
rights but for now I want to minimize this service admin account until I
clean it up properly. So if you have any suggestion I would appreciate your
assistance. Thank you for all your help and suggestions.

 

[Jorge Silva]

If the shares permissions are given by security group scope, just make that
account member of the appropriate groups.
Is that account under your control?
If no, by allowing that account with Domain Admin access you're giving that
person or app the right to do what ever he/she wants, it's up to you...
Next time make sure that the shares permissions are given by security group
instead of users.
--
*************************************************
I hope that the information above helps you
Good Luck

Jorge Silva

MCSA + Exchange + MSCE
*************************************************

 

[Paul Bergson [MVP-DS]]

That sounds like a good idea (DENYLogonForSVCAccounts), I will have to look
at this. We are always trying to tighten down things.

Would you provide the users the id and password? If so, couldn't they
create a script to grant themselves group membership to the domain admins
group via a scheduled task?

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Jorge de Almeida Pinto [MVP - DS]"

 

[Paul Bergson [MVP-DS]]

Grant r/w access to the root of where the folders exist. I see know reason
to provide this account elevated privelges.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

 

[Jorge de Almeida Pinto [MVP - DS]]

not if it is not required...

I say that because I have seen companies where:
team A does A on all servers (e.g. backup and restore)
team B does B on all servers (e.g. hardware monitoring)
team C does C on all servers (e.g. performance monitoring)

and depending on the task or tool used the service account is a DA

sometimes things are really stupid...

today someone told me:
We use tool A and B and when we use tool A we cannot do performance
monitoring stuff on DCs because we do not get the rights.
When we use tool B we can do anything because we have a service account that
is DA...


WTF!?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

That sounds like a good idea (DENYLogonForSVCAccounts), I will have to
look at this. We are always trying to tighten down things.

Would you provide the users the id and password? If so, couldn't they
create a script to grant themselves group membership to the domain admins
group via a scheduled task?

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Jorge de Almeida Pinto [MVP - DS]"

I always create a group like DENYLogonForSVCAccounts, make ALL service
accounts a member of that group and then configure that group with the
user rights Deny logon locally and deny logon through TS.

However, some apps NEED the logon locally user right. The way to find out
is to first configure with deny logon locally and test if every works
correctly

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!

 

[Paul Bergson [MVP-DS]]

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no rights.

"Jorge de Almeida Pinto [MVP - DS]"

not if it is not required...

I say that because I have seen companies where:
team A does A on all servers (e.g. backup and restore)
team B does B on all servers (e.g. hardware monitoring)
team C does C on all servers (e.g. performance monitoring)

and depending on the task or tool used the service account is a DA

sometimes things are really stupid...

today someone told me:
We use tool A and B and when we use tool A we cannot do performance
monitoring stuff on DCs because we do not get the rights.
When we use tool B we can do anything because we have a service account
that is DA...


WTF!?

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------

That sounds like a good idea (DENYLogonForSVCAccounts), I will have to
look at this. We are always trying to tighten down things.

Would you provide the users the id and password? If so, couldn't they
create a script to grant themselves group membership to the domain admins
group via a scheduled task?

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

"Jorge de Almeida Pinto [MVP - DS]"

I always create a group like DENYLogonForSVCAccounts, make ALL service
accounts a member of that group and then configure that group with the
user rights Deny logon locally and deny logon through TS.

However, some apps NEED the logon locally user right. The way to find
out is to first configure with deny logon locally and test if every
works correctly

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx
------------------------------------------------------------------------------------------
* This posting is provided "AS IS" with no warranties and confers no
rights!
* Always test before implementing!
------------------------------------------------------------------------------------------
#################################################
#################################################
------------------------------------------------------------------------------------------
I wouldn't give any user the user name and password to an admin account.
That account is for admins only, no exceptions. You can set all the
rules you want a user can go to a different box and logon under that
used id and password. You should be logging onto that box (RDP) and
creating the setup and the code executing should not be available to
anybody but the admins.

Secondly, why would you need to use a domain admin account? If you set
this up and grant them the ability for this service to run as an admin
and they have access to the code running, they can setup most anything
and elevate privleges for themselves. This whole scenario is setup for
you to have someone run malicous code.

This layout is just a disaster waiting to happen.

--
Paul Bergson
MVP - Directory Services
MCT, MCSE, MCSA, Security+, BS CSci
2003, 2000 (Early Achiever), NT

http://www.pbbergs.com

Please no e-mails, any questions should be posted in the NewsGroup
This posting is provided "AS IS" with no warranties, and confers no
rights.

Hi All

Just wanted to get everyone opinion on whether or not I
should set this up the right way. I have an account which should only
be used for Services on the servers. The problem is that these some
Services require Domain Admin account. So we don't want the users to
login with this account. We want the users to use their own account
but at the same time give them the username and password for that
account just to startup Services.

So this is what I had in mind, create a Service Admin
account but disable interactive logon then run a GPO on each server
giving them rights to startup the service that needs the Service Admin
account. Granted each server is different and I might have to run a
local GPO on those boxes.

Or go with Security Configuration and Analysis tool. Then
do it from there? What are your thoughts? Thanks

 

[Joe Richards [MVP]]

Good idea, though no one should get it through their head this blocks
the use of the account for un-sanctioned methods. It is still fully
useable with NET USE /USER and RUNAS/CPAU. Interactive logon is simply
the most common way to use the IDs but I can do as much damage with the
other mechanisms.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Joe Richards [MVP]]

Never, and I mean never, give out too much rights and then "think" you
will trim them back. Start with the least rights right up front.
Granting additional rights is much easier than taking them away later
because no one complains about getting rights added to their account.

--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm

 

[Jorge de Almeida Pinto [MVP - DS]]

I agree with joe! If someone is not a DA or should not be one, then that
person should also NOT have credentials for service wether or not the
service account is a DA. IMHO, EVERYONE's actions should be tracable WHEN
needed, and thus own a personal account. Never share accounts and WHEN
something goed wrong, everyone says: "it wasn't me"

now read the following...

at my current client management/admin is setup like:
team A does users,groups
team B does backups
team C does monitoring, etc.

now guess what...NOBODY is admin through their personal account, but the
teams (B and C) do have the service account credentials that are used within
the tools and some of those svc accounts are DA (e.g. for backup)

better yet, team C has two tools to monitor stuff...tool X and Y. For tool Y
a svc account is used without DA's rights, but it has local member server
admin rights. The fun part is that they are not allowed to have admin rights
on the DCs and because of the current setup they cannot monitor the DCs at
all. However, for tool X they do have the credentials of the service account
and the svc account is a DA

Now think! What is wrong here? ;-)

Lets say that my first words were: WTF!?!?! ;-)

--

Cheers,
(HOPEFULLY THIS INFORMATION HELPS YOU!)

# Jorge de Almeida Pinto # MVP Windows Server - Directory Services

BLOG (WEB-BASED)--> http://blogs.dirteam.com/blogs/jorge/default.aspx
BLOG (RSS-FEEDS)--> http://blogs.dirteam.com/blogs/jorge/rss.aspx