I would concurr for PCI also, all accounts should be unique and auditable ( especially in the EA, DA, SA and administrator groups) service accounts should be properly documented with executive sign-off and proper risk management to the account for least privilege. Sincerely EZ
Edward E. Ziots Senior Informational Security Engineer CISSP,Security +,Network+ > Date: Tue, 10 Jan 2012 07:45:47 -0800 > Subject: Re: Domain Admin accounts > From: [email protected] > To: [email protected] > > Which means you're going to have to audit those applications to > understand what they're doing. > > If, for instance, the websense account is only used for AD auth for > the web filter, then it doesn't need to be a DA - for our Barracuda I > created an account (_barracuda), with no special privileges, because > all it does is query AD for the web filter, then placed the account in > our service account OU. > > Kurt > > 2012/1/10 David Lum <[email protected]>: > > The gone employees I have handled. The accounts in question are like > > Websense, myonelogin and other application-like accounts. > > > > -----Original Message----- > > From: Webster [mailto:[email protected]] > > Sent: Tuesday, January 10, 2012 7:10 AM > > To: NT System Admin Issues > > Subject: Re: Domain Admin accounts > > > > In a SOX audit I would require verification from HR that every member of > > Domain Admins, Enterprise Admins and Schema Admins is a valid employee. > > You would probably not be surprised how many are not employed and have been > > gone for quite some time. Same process for off-site backup access (Iron > > Mountain, etc). > > > > Service accounts that are members of one or more of those groups have to > > have CIO (or equivalent level) sign-off. > > > > Thanks > > > > > > Carl Webster > > Consultant and Citrix Technology Professional http://www.CarlWebster.com > > <http://www.carlwebster.com/> > > > > > > > > > > > > > > On 1/10/12 8:57 AM, "David Lum" <[email protected]> wrote: > > > >>Yeah...I listed the DA accounts in question and the SE's didn't reply, > >>and my bet is 1/2 the accounts in question the don't even know what > >>they do. No security problem there "Yeah the dude has keys to the > >>castle, but I don't know who he is". > >> > >>Dave > >> > >>-----Original Message----- > >>From: Kurt Buff [mailto:[email protected]] > >>Sent: Monday, January 09, 2012 4:11 PM > >>To: NT System Admin Issues > >>Subject: Re: Domain Admin accounts > >> > >>On Mon, Jan 9, 2012 at 09:41, David Lum <[email protected]> wrote: > >>> We have several service accounts that are Domain Admin is there any > >>> way to test for what permissions these accounts actually need short > >>> of ³removing DA and see what happens?². I¹m guessing noŠ > >> > >>The big question will be exactly what jobs they are performing. You'll > >>need a complete understanding of what they're used for - or rather, > >>what you mean by "service account" > >> > >>Some service accounts are used for running services, and have a very > >>limited scope that is more or less traceable. Others are, for instance, > >>used in scheduled tasks, in which case you'll need to understand what > >>the task does > >> > >> > >>Kurt > >> > >>~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > >><http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >>--- > >>To manage subscriptions click here: > >>http://lyris.sunbelt-software.com/read/my_forums/ > >>or send an email to [email protected] > >>with the body: unsubscribe ntsysadmin > >> > >> > >>~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > >><http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > >> > >>--- > >>To manage subscriptions click here: > >>http://lyris.sunbelt-software.com/read/my_forums/ > >>or send an email to [email protected] > >>with the body: unsubscribe ntsysadmin > > > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > > > --- > > To manage subscriptions click here: > > http://lyris.sunbelt-software.com/read/my_forums/ > > or send an email to [email protected] > > with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to [email protected] > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to [email protected] with the body: unsubscribe ntsysadmin
