• State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 61 subscribers
  • Views 9237 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Local Admin

rrotondi
over 8 years ago

We've recently had to remove the ARS svc account from the local admin of the server, but this causes the service account to fail with an access denied. If there a minimum amount of granular perms required to offset the need for a local admin? thanks!

Parents
  • 0 over 8 years ago

    @Terrance, fair enough - yes that is possible. Perhaps there is some security benefit in utilizing two accounts (I'd have to think harder upon it).

    Far more important in my opinion, and I'll mention it one last time since it is a GIGANTIC security hole that has/had existed for years within ARS until this methodology was released a version or two ago...

    support.software.dell.com/.../62472

    Without the above "fix", the server's registry holds the information as to the ARS administrator(s) and it is fully editable and in clear text, so it would not be extremely difficult for non-administrators to elevate themselves or other accounts to Domain Admins, i.e. by modifying the value, gaining complete control of the domain, and then doing whatever they wish. Anyway, I think OP should have plenty to think about by this point.  ;-)

Reply
  • 0 over 8 years ago

    @Terrance, fair enough - yes that is possible. Perhaps there is some security benefit in utilizing two accounts (I'd have to think harder upon it).

    Far more important in my opinion, and I'll mention it one last time since it is a GIGANTIC security hole that has/had existed for years within ARS until this methodology was released a version or two ago...

    support.software.dell.com/.../62472

    Without the above "fix", the server's registry holds the information as to the ARS administrator(s) and it is fully editable and in clear text, so it would not be extremely difficult for non-administrators to elevate themselves or other accounts to Domain Admins, i.e. by modifying the value, gaining complete control of the domain, and then doing whatever they wish. Anyway, I think OP should have plenty to think about by this point.  ;-)

Children
No Data