• State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 61 subscribers
  • Views 9232 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Local Admin

rrotondi
over 8 years ago

We've recently had to remove the ARS svc account from the local admin of the server, but this causes the service account to fail with an access denied. If there a minimum amount of granular perms required to offset the need for a local admin? thanks!

  • 0 over 8 years ago

    I will suggest that you configure "Domain Admins" as the ARS administrator and, additionally, that you store those "credentials" within the ARS configuration database itself (instead of within the registry).

    ref: support.software.dell.com/.../62472

  • 0 over 8 years ago

    The officially-supported configuration is that the Active Roles service account MUST be a member of the local Administrators group on the machine hosting the service.

    From the ActiveRoles Server 6.9 Quick Start Guide:

    support.software.dell.com/.../downloads

    "The service account must be a member of the Administrators group on the computer running the
    Administration Service. Because of this requirement, installing the Administration Service on a domain
    controller effectively grants the service account administrator rights in the entire domain."

  • 0 over 8 years ago

    Perhaps I'm confused prior to my morning coffee...

    Is not the ARS admin service account a Domain Admin and, therefore, would have permission to the entire domain regardless of where the ARS service were installed? Further, unless you go out of your way to complicate things, Domain Admins would already be a member of the ARS server's "Administrators" group.

    That's how we have configured anyway, i.e.
    * ARS service account = domain admin account
    * ARS Standalone host(s) with "registry security removed" (as in my previous post)

  • 0 over 8 years ago

    In a standard configuration, Active Roles automatically uses the service account to access any Domains which are added to the product. However, it is entirely possible to use the service account to run the service only, and have a separate account for accessing every Domain, even the local one.

  • 0 over 8 years ago

    @Terrance, fair enough - yes that is possible. Perhaps there is some security benefit in utilizing two accounts (I'd have to think harder upon it).

    Far more important in my opinion, and I'll mention it one last time since it is a GIGANTIC security hole that has/had existed for years within ARS until this methodology was released a version or two ago...

    support.software.dell.com/.../62472

    Without the above "fix", the server's registry holds the information as to the ARS administrator(s) and it is fully editable and in clear text, so it would not be extremely difficult for non-administrators to elevate themselves or other accounts to Domain Admins, i.e. by modifying the value, gaining complete control of the domain, and then doing whatever they wish. Anyway, I think OP should have plenty to think about by this point.  ;-)

  • 0 over 8 years ago

    I guess I'm not quite done...

    The instructions on this page are not the actual fix (but they will show the security hole that I mentioned).
    support.software.dell.com/.../62472

    However, if you read further on the above page, you'll find TF00342457 here:
    support.software.dell.com/.../122282

    That's what you should want to implement. ASAP, in my opinion.

    -Steve

  • 0 over 8 years ago

    To your point about the "security hole" - there are ways to protect yourself against this which I have counseled customers about over the years:

    Treat your ARS server as a "sensitive" application server by:

    1. Limiting who has local admin rights to it
    2. Closely monitoring (using the Change Auditor product for example) all logon activitiy to the box.
    3. Closely monitoring ALL changes to this box in general

    And when I say "monitoring", I mean notifying someone whenever someone logs on to the machine and/or makes a change to it.

    Just as important is that you must limit who is an "ARS Admin" because these people (who may or many not be domain admins themselves) will acquire whatever rights to your environment that you have granted your "override" account(s).  Also, strictly speaking, your override account(s) that you should configure to actually make changes in the domain(s) managed by ARS do not have to be Domain Admins.  Rather, they need the maximum rights that you intend to delegate out.  It is often most convenient to make them Domain Admins but it is not a technical requirement.

  • 0 over 8 years ago

    I agree with the "sensitive" comments.

    I think the best way to treat the ARS server as "sensitive" is to immediately move the credentials from the registry and into the ARS database. If that is not done, then anyone with access to the host server's registry is only steps away from becoming an ARS Admin and subsequently from there, gaining domain admin permissions. This list of anyone could include local administrator accounts; domain members of "Administrators" group; backup operators, power users, potentially many other accounts.

    Monitoring is good too and I agree and we do. Of course, a bad actor or hacker could have already completed major damage by the time you get the auditing report.

    Since this thread is still going and so that I understand... does anyone on this thread think that it is a good idea to have the following remain "as is" in clear text and not implement TF00342457: DSAdministrators? Sell me on the idea - I'm open.  :-)