• State Suggested Answer
  • Locked Locked
  • Replies 8 replies
  • Answers 1 answer
  • Subscribers 61 subscribers
  • Views 9231 views
  • Users 0 members are here
Options
Related
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Local Admin

rrotondi
over 8 years ago

We've recently had to remove the ARS svc account from the local admin of the server, but this causes the service account to fail with an access denied. If there a minimum amount of granular perms required to offset the need for a local admin? thanks!

Parents
  • 0 over 8 years ago

    I agree with the "sensitive" comments.

    I think the best way to treat the ARS server as "sensitive" is to immediately move the credentials from the registry and into the ARS database. If that is not done, then anyone with access to the host server's registry is only steps away from becoming an ARS Admin and subsequently from there, gaining domain admin permissions. This list of anyone could include local administrator accounts; domain members of "Administrators" group; backup operators, power users, potentially many other accounts.

    Monitoring is good too and I agree and we do. Of course, a bad actor or hacker could have already completed major damage by the time you get the auditing report.

    Since this thread is still going and so that I understand... does anyone on this thread think that it is a good idea to have the following remain "as is" in clear text and not implement TF00342457: DSAdministrators? Sell me on the idea - I'm open.  :-)

Reply
  • 0 over 8 years ago

    I agree with the "sensitive" comments.

    I think the best way to treat the ARS server as "sensitive" is to immediately move the credentials from the registry and into the ARS database. If that is not done, then anyone with access to the host server's registry is only steps away from becoming an ARS Admin and subsequently from there, gaining domain admin permissions. This list of anyone could include local administrator accounts; domain members of "Administrators" group; backup operators, power users, potentially many other accounts.

    Monitoring is good too and I agree and we do. Of course, a bad actor or hacker could have already completed major damage by the time you get the auditing report.

    Since this thread is still going and so that I understand... does anyone on this thread think that it is a good idea to have the following remain "as is" in clear text and not implement TF00342457: DSAdministrators? Sell me on the idea - I'm open.  :-)

Children
No Data