Which means you're going to have to audit those applications to understand what they're doing.
If, for instance, the websense account is only used for AD auth for the web filter, then it doesn't need to be a DA - for our Barracuda I created an account (_barracuda), with no special privileges, because all it does is query AD for the web filter, then placed the account in our service account OU. Kurt 2012/1/10 David Lum <david....@nwea.org>: > The gone employees I have handled. The accounts in question are like > Websense, myonelogin and other application-like accounts. > > -----Original Message----- > From: Webster [mailto:webs...@carlwebster.com] > Sent: Tuesday, January 10, 2012 7:10 AM > To: NT System Admin Issues > Subject: Re: Domain Admin accounts > > In a SOX audit I would require verification from HR that every member of > Domain Admins, Enterprise Admins and Schema Admins is a valid employee. > You would probably not be surprised how many are not employed and have been > gone for quite some time. Same process for off-site backup access (Iron > Mountain, etc). > > Service accounts that are members of one or more of those groups have to have > CIO (or equivalent level) sign-off. > > Thanks > > > Carl Webster > Consultant and Citrix Technology Professional http://www.CarlWebster.com > <http://www.carlwebster.com/> > > > > > > > On 1/10/12 8:57 AM, "David Lum" <david....@nwea.org> wrote: > >>Yeah...I listed the DA accounts in question and the SE's didn't reply, >>and my bet is 1/2 the accounts in question the don't even know what >>they do. No security problem there "Yeah the dude has keys to the >>castle, but I don't know who he is". >> >>Dave >> >>-----Original Message----- >>From: Kurt Buff [mailto:kurt.b...@gmail.com] >>Sent: Monday, January 09, 2012 4:11 PM >>To: NT System Admin Issues >>Subject: Re: Domain Admin accounts >> >>On Mon, Jan 9, 2012 at 09:41, David Lum <david....@nwea.org> wrote: >>> We have several service accounts that are Domain Admin is there any >>> way to test for what permissions these accounts actually need short >>> of ³removing DA and see what happens?². I¹m guessing noŠ >> >>The big question will be exactly what jobs they are performing. You'll >>need a complete understanding of what they're used for - or rather, >>what you mean by "service account" >> >>Some service accounts are used for running services, and have a very >>limited scope that is more or less traceable. Others are, for instance, >>used in scheduled tasks, in which case you'll need to understand what >>the task does >> >> >>Kurt >> >>~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >><http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >>--- >>To manage subscriptions click here: >>http://lyris.sunbelt-software.com/read/my_forums/ >>or send an email to listmana...@lyris.sunbeltsoftware.com >>with the body: unsubscribe ntsysadmin >> >> >>~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ >><http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ >> >>--- >>To manage subscriptions click here: >>http://lyris.sunbelt-software.com/read/my_forums/ >>or send an email to listmana...@lyris.sunbeltsoftware.com >>with the body: unsubscribe ntsysadmin > > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ > <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > > > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ > ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ > > --- > To manage subscriptions click here: > http://lyris.sunbelt-software.com/read/my_forums/ > or send an email to listmana...@lyris.sunbeltsoftware.com > with the body: unsubscribe ntsysadmin > ~ Finally, powerful endpoint security that ISN'T a resource hog! ~ ~ <http://www.sunbeltsoftware.com/Business/VIPRE-Enterprise/> ~ --- To manage subscriptions click here: http://lyris.sunbelt-software.com/read/my_forums/ or send an email to listmana...@lyris.sunbeltsoftware.com with the body: unsubscribe ntsysadmin
