• State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 61 subscribers
  • Views 9237 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Local Admin

rrotondi
over 8 years ago

We've recently had to remove the ARS svc account from the local admin of the server, but this causes the service account to fail with an access denied. If there a minimum amount of granular perms required to offset the need for a local admin? thanks!

Parents
  • 0 over 8 years ago

    To your point about the "security hole" - there are ways to protect yourself against this which I have counseled customers about over the years:

    Treat your ARS server as a "sensitive" application server by:

    1. Limiting who has local admin rights to it
    2. Closely monitoring (using the Change Auditor product for example) all logon activitiy to the box.
    3. Closely monitoring ALL changes to this box in general

    And when I say "monitoring", I mean notifying someone whenever someone logs on to the machine and/or makes a change to it.

    Just as important is that you must limit who is an "ARS Admin" because these people (who may or many not be domain admins themselves) will acquire whatever rights to your environment that you have granted your "override" account(s).  Also, strictly speaking, your override account(s) that you should configure to actually make changes in the domain(s) managed by ARS do not have to be Domain Admins.  Rather, they need the maximum rights that you intend to delegate out.  It is often most convenient to make them Domain Admins but it is not a technical requirement.

Reply
  • 0 over 8 years ago

    To your point about the "security hole" - there are ways to protect yourself against this which I have counseled customers about over the years:

    Treat your ARS server as a "sensitive" application server by:

    1. Limiting who has local admin rights to it
    2. Closely monitoring (using the Change Auditor product for example) all logon activitiy to the box.
    3. Closely monitoring ALL changes to this box in general

    And when I say "monitoring", I mean notifying someone whenever someone logs on to the machine and/or makes a change to it.

    Just as important is that you must limit who is an "ARS Admin" because these people (who may or many not be domain admins themselves) will acquire whatever rights to your environment that you have granted your "override" account(s).  Also, strictly speaking, your override account(s) that you should configure to actually make changes in the domain(s) managed by ARS do not have to be Domain Admins.  Rather, they need the maximum rights that you intend to delegate out.  It is often most convenient to make them Domain Admins but it is not a technical requirement.

Children
No Data