|
Posted by Roger Abell [MVP] on July 8, 2007, 2:26 pm
If you were Registered and logged in, you could reply and use other advanced thread options
Hi Matthew
I am thinking that there is pretty much nothing you can do.
Since the account does need access to an unpredictable set
of machines, and needs to be able to install there, unless you
can make the remote install happen without admin and without
the copy to admin share on install target it is pretty hard to see
how you can restrict the account used.
You could of course make some plain Domain User (not member
of Domain Admins) member of Administrators of all members of
the domain, and that would itself be a big plus (not using Domain
Admin account). But to be able to do this without Administrators
membership on the targets is really a matter of how the install
sets things up.
Roger
>I have a service account with administrator rights that I would like
> to restrict to just performing software installs. The account needs
> to be able to copy files to the administrative shares on the target
> computer (servers and workstations), then execute the setup program
> via RPC. Once installed, the software will run as a service in the
> LocalSystem security context.
>
> How might I restrict the rights afforded to this service account? I
> realize that remote software installation is sufficient to compromise
> a computer, but I'd like to know if there's anything I can or should
> do to restrict what this account can access. (I'm probably better off
> using a different method for software distribution, but in this case,
> I am using a network-based discovery program to find computers that
> aren't running this service, and once discovered, the program pushes
> the service out to them using this account.)
>
> Best wishes,
> Matthew
>
> --
> "Rogues are very keen in their profession, and know already much more
> than we can teach them respecting their several kinds of roguery."
> - A. C. Hobbs in _Locks and Safes_ (1853)
| 
XML site map