Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Focus-Microsoft
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: creating AD accounts for IdM solutions

from [Thor (Hammer of God)] Network Security [Permanent Link]
Subject: Re: creating AD accounts for IdM solutions
Date: Fri, 20 Jan 2006 15:33:46 -0800
A "domain admin" equivalent account should not be a requirement. I would be leery of configuring a 3rd party application to use "domain admin" as you can't ensure that:
1) The credentials are stored in a secure manner.
2) Credentials are passed between applications and other network resources in a secure manner.
3) The software itself is written securely and the application itself can't be leveraged against you.
4) Auditing becomes difficult as no access-level "failures" will occur with domain admin.

You should map out exactly what minimum permissions the account will need in order to perform its job, and then delegate the needed rights to a "regular" account, and not the domain account.

In this way, auditing becomes more valuable (and potential misuse more evident) as failure events will identify any issues. Auditing does not "prevent abuse" at all- it just alerts you to the fact that abuse may be occurring.

hth
t




-----
"I'll see your Llama and up you a Badger."
John T



----- Original Message ----- From: "Saqib Ali" <docbook.xml@gmail.com>
To: <focus-ms@securityfocus.com>
Sent: Friday, January 20, 2006 12:12 PM
Subject: creating AD accounts for IdM solutions


What are some Security Concerns and Best Practices for creating Active
Directory accounts for 3rd party Identity Management solutions.

non-MS Identity Management (IDM) solutions require creation of an
Active Directory account with domain wide administrative priveleges.
The IDM solution then uses that account for day to day administration
task like create new users, change password, group membership etc.

1) What are some security concerns with this approach.

2) What are best practices to prevent abuse of this account

3) What type of auditing needs to in place to prevent abuse.

--
Saqib Ali, CISSP
http://www.xml-dev.com/blog/
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15

---------------------------------------------------------------------------
---------------------------------------------------------------------------




---------------------------------------------------------------------------
---------------------------------------------------------------------------

[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  creating AD accounts for IdM solutions, Saqib Ali
Next by Date:  Re: creating AD accounts for IdM solutions, Saqib Ali
Previous by Thread:  creating AD accounts for IdM solutions, Saqib Ali
Next by Thread:  Re: creating AD accounts for IdM solutions, Saqib Ali
Indexes:  [Date] [Thread] [Top] [All Lists]