Can I create an Administrative account for application services only? 1

[1LUV1T]

Hi guys, I realized that on my Win2k3 AD domain, there are just two admin accounts. One is seldom used and the other is mine for all day-to-day administrative tasks. I also have a lot of software apps running with *my* Adminsitrative account credentials.

I am thinking for the future that if, let's say, my account is hacked or I am no longer with the co., and I need to disable my account, I want the applications to keep running. Is it possible to create an account that will only be used for services? Example, BackupExec runs under my Admin account credentials. If I disable my account so does BackupExec engine.

Any advice?

 

[Markers]

That's exactly what I've done. I've created multiple administrative accounts (sysservices, sysbackup, etc.) for the day-to-day services that run within my infrastructure. Each account only has the necessary administrative membership (Domain Admins, DHCP Admins, etc.) to get the job done. For added security, each account has a 30 character length password that is composed of numbers, letters and special characters and I use KeePass to keep track of them all. It's a system I've been using for years and it hasn't failed me yet.

This allows me to change the Enterprise-Level administrator password every 30 days without adversely affecting services and/or our infrastructure.

David R, CCIE
"To err is human... to really foul up requires the root password."

 

[1LUV1T]

Markers, did you "just" create a new account and, for example, made it a Domain Admin (so now it is an Administrator) then put in a real difficult password?

That's a good solution but I would like to limit these accounts so much that they're only good for application services.... but your advice fits too, I guess.

 

[Markers]

Actually I created a new Security Group for each of the services (e.g. BackupExec) and then I created a new user and made them a member of that Security Group. Next, I created a new Security Template and gave that Security Group access to only the necessary registry entries and files/folders. The "real difficult password" is icing on the cake.

It's hard work but it's well worth it.

David R, CCIE
"To err is human... to really foul up requires the root password."

 

[1LUV1T]

Was the security group domain local or global? I have a bunch of servers, workstatins but under ONE domain. Also can you elaborate a bit more on your Security Template? Did you create a GPO for that Security Group (i.e. place it in SG OU) ?

Thanks in advance.

 

[Markers]

Global. Yes, I have an OU for my Security Groups.

---+ Corporate Groups
-------+ Services
-----------+ BackupExec
-----------+ AcronisImaging
-----------+ etc.
-----------+ ...

---+ Corporate Users
-------+ Human Resources
-------+ ...
-------+ Information Technology
-------+ Services
-----------+ sysbackup
-----------+ sysservices
-----------+ etc.
-----------+ ...

The only GPO the services inherit is from the Domain Controller (Default Domain GPO). And did you want me to elaborate about Security Templates in general or about the BackupExec Template?

David R, CCIE
"To err is human... to really foul up requires the root password."

 

[1LUV1T]

Sorry for the delayed response. I created a Security Group, and will follow your advice on adding individual service accounts (was going to do one main one). About the Security Templates, I just wanted to know what special settings, if any, did you customize and deploy to the Group? Maybe a few examples if you can? Thanks.

 

[Markers]

No special settings\configuration; everything is application specific. I've found Security Templates are very handy for end-users and software that runs on the server 9 times out of 10 requires some sort of administrative-level privileges.

As for our backup software (BackupExec), I was incorrect, it is a member of the Domain Admin, Administrator and BackupExec Security Groups and there are no Security Templates applied.

Sorry for the confusion.

David R, CCIE
"To err is human... to really foul up requires the root password."

 

[1LUV1T]

Ok to sum this up for me and anyone else interested, and thanks again for your assistance Markers, I will create 1-2 accounts that are app specific.
1. Backup Exec service account (i.e. BEsupport) and Trend Micro Network antivirus -- make the accounts Domain Admin, lock up the accounts tight with no TS access and tight GPOs applied (just in case someone gets account) and that's it, I guess. It sounds simple and protects my own Admin account.

 

[Markers]

Sounds good.

David R, CCIE
"To err is human... to really foul up requires the root password."

 

[Cstorms]

This is a good idea, thanks for sharing your experience with us Markers.