Re: creating AD accounts for IdM solutions

Mon, 23 Jan 2006 07:08:11 -0800

A "domain admin" equivalent account should not be a requirement. I would be leery of configuring a 3rd party application to use "domain admin" as you can't ensure that: 
1) The credentials are stored in a secure manner.
2) Credentials are passed between applications and other network resources in a secure manner. 3) The software itself is written securely and the application itself can't be leveraged against you. 4) Auditing becomes difficult as no access-level "failures" will occur with domain admin. 


You should map out exactly what minimum permissions the account will need in 
order to perform its job, and then delegate the needed rights to a "regular" 
account, and not the domain account.



In this way, auditing becomes more valuable (and potential misuse more 
evident) as failure events will identify any issues.  Auditing does not 
"prevent abuse" at all- it just alerts you to the fact that abuse may be 
occurring.


hth
t




-----
"I'll see your Llama and up you a Badger."
John T




----- Original Message ----- 
From: "Saqib Ali" <[EMAIL PROTECTED]>

To: <[email protected]>
Sent: Friday, January 20, 2006 12:12 PM
Subject: creating AD accounts for IdM solutions


What are some Security Concerns and Best Practices for creating Active
Directory accounts for 3rd party Identity Management solutions.

non-MS Identity Management (IDM) solutions require creation of an
Active Directory account with domain wide administrative priveleges.
The IDM solution then uses that account for day to day administration
task like create new users, change password, group membership etc.

1) What are some security concerns with this approach.

2) What are best practices to prevent abuse of this account

3) What type of auditing needs to in place to prevent abuse.

--
Saqib Ali, CISSP
http://www.xml-dev.com/blog/
"I fear, if I rebel against my Lord, the retribution of an Awful Day
(The Day of Resurrection)" Al-Quran 6:15

---------------------------------------------------------------------------
---------------------------------------------------------------------------




---------------------------------------------------------------------------
---------------------------------------------------------------------------























					Reply via email to