Chris Posted November 17, 2022 Share Posted November 17, 2022 Dear all, First off: I do not manage or create Microsoft Active Directory environments. I care about security components from Firewalls to SIEM/SOAR. So I don't need to get too technical about the configuration on a DC here. However, I often need to ask customers to create or share credentials for some service accounts that need to be embedded in security components, such as: An account which enables LDAP(s) queries An account that grants access to the DC's Windows Event Logs An account that may install software on an endpoint device (remotely) A possibility for a (IT) user to change the IP address of a windows device manually (which currently results in local admin users) Anything else I forgot about but you know? Of course, I always want to keep a least privilege principle. But as I just ask the customers to create an account which can do these tasks, it often results in some kind of admin user (as these are server managers and not security staff). Now, my question/discussion entry would be: What should I tell my customer to pay attention to when creating these kinds of accounts? What are common pitfalls on AD account creation? Thanks already for your input! Best, Chris Link to comment Share on other sites More sharing options...
Florian Posted November 17, 2022 Share Posted November 17, 2022 first thing that come to my mind is group managed service account. Group Managed Service Accounts Overview | Microsoft Learn short breakdown -> it's a user which dynamicly change it's password and you have to specify the computer accounts who can request the password. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now