Re: Service Login Account query

First different services shouldn't share an ID, an attack on a single ID or a mistake and you lock out all of your services. Preferably services should try to run as networkservice or even better localservice then you don't worry about accounts and passwords.

1. No there is no central location maintaining where IDs are being used unless you are manually keeping a list.

2. There is a script written by a friend of mine that will scan your servers. You can get it here

http://www.jsifaq.com/SF/Tips/Tip.aspx?id=5721

3. No services will not be using passport in the future. I am not aware of any major changes in how services are running in Longhorn.


The main thing about handling service ids securely and properly is discipline and control. Also do not allow people to set the accounts to non-expiring so you are forced to regularly go out and change them so

a. you know how
b. you know where
c. because they tend to have more rights and powers than most IDs that you wouldn't think of allowing to not get changed
d. the more people who know a secret, the less likely it is not a secret


--
Joe Richards Microsoft MVP Windows Server Directory Services
Author of O'Reilly Active Directory Third Edition
www.joeware.net


---O'Reilly Active Directory Third Edition now available---

http://www.joeware.net/win/ad3e.htm


AdrianDev wrote:
Hi,
A domain has several Windows 2003 services installed on windows serverd, all configured to login with a Domain user account. The domain user password gets stored encryted in the local registries of all the servers according to the documentation. And so if the domain user password changes, all the service properties will have to alter to update the locally stored passwords to syncronise them else the service wont restart.
Fine.
But if I dont have the list of server names, is there a central method of listing the server names that have services that are using a particular domain user?
I am aware that it can be done the long way by running sc remotely on every server to list every service user and cross checked, but is there a function or command to achive this I can run from a single Windows 2003 server on the domain?
Moreover, what is the future for windows services, is there any change planned here to use passports or something else?
Thanks, Adrian
.

Relevant Pages

  • Re: UserName and Kerberos tokens at the same time
    ... > What makes me feeling a bit strange is that the WSE 3.0 Kerberos demo also ... Are you logon the computer as a domain user when running the ... I have tried it on a Windows 2003 server as well and there I get the ...
    (microsoft.public.dotnet.framework.webservices.enhancements)
  • Application Pool + Domain User + Windows authentication - bug?
    ... This works fine on Windows 2000, but on Windows Server 2003 ... the Windows Authentication is going to crazy after the lot of page ... Create Application Pool for this application with domain user ...
    (microsoft.public.inetserver.iis)
  • Re: Service Login Account query
    ... don't worry about accounts and passwords. ... Joe Richards Microsoft MVP Windows Server Directory Services ... all configured to login with a Domain user account. ...
    (microsoft.public.windows.server.active_directory)
  • Re: normal user right
    ... Your problem is not due to Windows 2000 compared to Windows ... Server 2003 differences, as there are none in this regard. ... > I have a Windows 2000 Standard server as logon server. ... > just assigned user right to the domain user in their local pc, ...
    (microsoft.public.win2000.security)
  • SecurityFocus Microsoft Newsletter #154
    ... MICROSOFT VULNERABILITY SUMMARY ... ISS RealSecure Server Sensor SSL Denial Of Service Vulnerabi... ... Roger Wilco Remote Server Side Buffer Overrun Vulnerability ... available for Microsoft Windows operating systems. ...
    (Focus-Microsoft)