|
Posted by Roger Abell [MVP] on July 20, 2007, 2:16 am
If you were Registered and logged in, you could reply and use other advanced thread options
HI Mathew,
Did you want to restrict the service accounts, or determine a
character of service account that works (make them admin on
their machine) ?
The inital segment of posts clarified how to do what you were
trying to make work, which restricted services to accounts
with admin rights on the target systems. Highly likely only
some few of the privs covered by admin are needed. It is
convenient to use a svcacct group to carry the grants on the
target systems, and the service accts bear the character of
that group in place of admin.
Roger
>I have a service account with administrator rights that I would like
> to restrict to just performing software installs. The account needs
> to be able to copy files to the administrative shares on the target
> computer (servers and workstations), then execute the setup program
> via RPC. Once installed, the software will run as a service in the
> LocalSystem security context.
>
> How might I restrict the rights afforded to this service account? I
> realize that remote software installation is sufficient to compromise
> a computer, but I'd like to know if there's anything I can or should
> do to restrict what this account can access. (I'm probably better off
> using a different method for software distribution, but in this case,
> I am using a network-based discovery program to find computers that
> aren't running this service, and once discovered, the program pushes
> the service out to them using this account.)
>
> Best wishes,
> Matthew
>
> --
> "Rogues are very keen in their profession, and know already much more
> than we can teach them respecting their several kinds of roguery."
> - A. C. Hobbs in _Locks and Safes_ (1853)
| 
XML site map