Got a request from our security group. New application, that will connect to AD to do some provisioning functions (adds, deletes, modifications, etc...). They want to know if we can restrict the service account by IP address. The thinking is that if the account and password got compromised, that if it was restricted to only being allowed from one IP address it would reduce the attack surface. I'm not aware of a way to do this in AD. Even with NAP and NPS, I don't think you could really do this. As compensating controls we will remove the ability to logon locally or through terminal services like we do with other service accounts.
Any suggestions? Thanks, Christopher Bodnar Enterprise Architect II, Corporate Office of Technology:Enterprise Architecture and Engineering Services Tel 610-807-6459 3900 Burgess Place, Bethlehem, PA 18017 [email protected]<mailto:> [cid:[email protected]] The Guardian Life Insurance Company of America www.guardianlife.com<http://www.guardianlife.com/> ----------------------------------------- This message, and any attachments to it, may contain information that is privileged, confidential, and exempt from disclosure under applicable law. If the reader of this message is not the intended recipient, you are notified that any use, dissemination, distribution, copying, or communication of this message is strictly prohibited. If you have received this message in error, please notify the sender immediately by return e-mail and delete the message and any attachments. Thank you.
