We both know that's poor, but possibly necessary. I see creating a new account and granting the permissions *specifically* required as normal business. Having to install under the 500 Administrator account is not what I call *normal* by any stretch. Regardless if it's Microsoft or somebody else that does it. It's poor practice and shouldn't be done. Since I'm not the only person that writes applications in the world (I don't really write applications except as utilities anyway) I understand that others may use this type of practice and think it's normal. It's not normal acceptable behavior.
My thinking is this: since security is the art of blending acceptable risk with expended effort, creating a new account and granting it the least amount of privileges required to run is the goal. The reverse is not true: creating an application and being too lazy to implement a process that requires the least permissions to install but instead relying on a known account to be there (ie. the 500 account). That's the equivalent of installing and running as root which is long accepted as a bad practice.
Does that mean that we'll never see it? Oh, we see it. Microsoft sometimes does it, although they should be called to explain it when they do since it's their best practice to rename that and not use it unless absolutely necessary. Then maybe they could turn their attention to products that require WINS :)
Seriously, it's a trade-off. But from a vendor, I expect them to follow the best practices of industry and the vendor that wrote the OS. Those that don't I seriously consider dropping from my radar on the spot. That's because I've been bit by this in the past and because I work in a highly regulated industry, I don't make it a standard practice to deviate from that thinking.
Least permissions can mean running as an administrator account on some level. It can. But it's even worse to think that I'd have a standard named account called administrator and I'd run it under those credentials vs. creating an installation account and delegating the appropriate rights.
On 1/29/06, Michael B. Smith <[EMAIL PROTECTED]> wrote:
It may have changed in the last year, since I no longer do Unity support, but Cisco Unity required you to create a "UnityInstall" account and use that (with specific permissions of course) to install Unity and any updates. There is also a UnityAdmin account and there are two Unity Exchange accounts (one for directory service requests and one for interfacing with the message store). Cisco was good about defining the precise permissions required for each account, but it's still irritating.
From: [EMAIL PROTECTED] [mailto: [EMAIL PROTECTED]] On Behalf Of Al Mulnick
Sent: Saturday, January 28, 2006 3:12 PM
To: [email protected]
Subject: Re: [ActiveDir] SBSland folks ask Big server land people a question about the use and risk of the "500" account.
I can honestly think of no plausible reason that any vendor I want to do business with would require that I use that or any specific account. There is never a time when that's acceptable. Wait. I want to be clear about this. There is never a time when it is acceptable to tell me that I MUST install and run under a specific named account.Any time I've been faced with that concept, I and my colleagues have always pushed back on the vendor to specify exactly what rights and any other pertinent details were needed. If they couldn't or otherwise wouldn't provide the details, then we emphatically recommend no sale. If that doesn't prevent the sale, we loop in the security folks to accept responsibility for the compliance and other security issues that this may introduce. If they were fine with it, then I no longer have a stake in the game for that. Instead, I no have a scape goat for anything to goes wrong ;)There is never a time when it is acceptable to tell me that I MUST install and run under a specific named account. Never.
On 1/28/06, Susan Bradley, CPA aka Ebitz - SBS Rocks [MVP] < [EMAIL PROTECTED]> wrote:There have been times in recent past that certain installs or
applications only work under the "500" account aka the real admin
account down here in SBSland.
In Big server land... do you also find this to be true with apps that
need to be installed on the server?
For many of you you are obviously remote admin'ing.
Do you ..when using that 500 account... accept the risk of that Admin
account/password over TS/3389?
Only over VPN? Only use that 500 account in certain
vlans/subnets/whatevers that obviously we in SBSland never carve up our
domain structures in?
For SOX purposes only have a documented use of that 500 account?
For all other times do you use admin equivalent?
--
Letting your vendors set your risk analysis these days?
http://www.threatcode.com
List info : http://www.activedir.org/List.aspx
List FAQ : http://www.activedir.org/ListFAQ.aspx
List archive: http://www.mail-archive.com/activedir%40mail.activedir.org/
