Security Manager's Journal: Rights can be so wrong
Windows service accounts used by software are often given domain administrator rights, just because it's quick and easy. That sort of thing rubs security managers the wrong way.
Computerworld - I've been continuing my efforts to get my company's user accounts under control. We have a lot of Windows service accounts that are used by software, and many of these were put into the Domain Admins group without any real thought regarding what rights they legitimately need. Now that my eyes have been opened to this situation, I've been working with our system administrators to find a way to let software run without such a high level of access.
Accounts within the Domain Admins group on a Windows domain have full control, which means they can do things like adding (and removing) computer and user accounts, creating and changing groups, changing security policies and of course reading, writing or deleting all files on every computer on the domain. They are administrators of all servers and workstations. With the possible exception of backup software, none of our applications should need that much access in order to run. Surely there must be a way to give access to the system files an application needs without all those other rights.
The applications' vendors have been of little help, typically responding along these lines: "Our software needs to read and write a lot of files in many locations, so it requires a high enough level of permissions on the system to do that. Running as a domain administrator is the easiest way to ensure that the software will have enough access to run properly."
Of course, the reason our Domain Admins group is stuffed with software accounts is that that's the easiest way to make software work. Overworked, harried system administrators who are under the gun to make something work quickly aren't very motivated to spend time figuring out which privileges are needed so that they can grant only those privileges, and then test to make sure everything works. And it doesn't help that the software manufacturers encourage the quick and easy fix of granting excessive rights.
At the same time, those same overstressed administrators don't spend much time making up strong passwords. You're bound to find an "oracle" account with a password of "oracle" (or maybe "oracle123" at best) on any network, just because rushed system administrators don't think too deeply about risk.
As a result, the accounts that can do the most damage are also the easiest for an attacker to break into.
When I brought these concerns to our Windows gurus, one bright fellow mentioned that it's possible to restrict service account access using delegation. A consultant who is a Windows expert confirmed that delegating rights in a Windows domain can be done in a way that should allow pretty much all software to work without having full rights. Sounds easy enough, but it isn't. The difficulty is that a delegation model needs to be designed and built into the domain, and that's no small task. In our case, we would need to bring in a consultant with more knowledge and experience in that area than our own administrators have.
More by J.F. Rice
- Security Manager's Journal: Security flaw shakes faith in Apple mobile devices
- Security Manager's Journal: Cyberattacks just got personal
- Security Manager's Journal: Target breach unleashes fresh scams
- Security Manager's Journal: Giving thanks for SIEM
- Security Manager's Journal: Hashing out secure applications
- Security Manager's Journal: Why the shutdown is like the cloud
- Security Manager's Journal: Thinking about passwords
- Security Manager's Journal: Android panic
- Security Manager's Journal: Auto-forwarded emails could be a huge problem
- Security Manager's Journal: Our network infrastructure has fallen far out of date
- Best iPhone, iPad Business Apps for 2014
- 14 Tech Conventions You Should Attend in 2014
- 10 Desktop Apps to Power Your Windows PC
- How to Add New Job Skills Without Going Back to School
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts