We help IT Professionals succeed at work.

SPNs pose a security risk?

747 Views
Last Modified: 2013-12-04
So I was speaking with our "infrastructure guy" about implementing Service Principle Names for proper kerberos authentication with the identity pool accounts in some of or IIS websites. He starts rattling something off about SPN enabled accounts having "ring 0" access or something along those lines. Bascially some kind of low level OS access when used. Now, I understand what SPNs are and what they do but Ive never heard the "ring 0" reference used before and Im a bit confused as to what he is talking about in regards to SPNs somehow creating a security risk.

Confirm or disprove what he is saying? If he is correct, please explain to me hopefully with a little more detail why SPNs might pose a security risk. I see technet articles and such all over the place stating that this is a common and even best practice approach. But he's denying that based on his own "black hat" knowledge of active directory. Ive got nearly 10 years of experience with AD and I have never heard about SPNs being a security risk. Im not implying that I am correct, I simply would like to expand my knowledge if this is the case.
Comment
Watch Question

Henrik JohanssonSystems engineer
Top Expert 2008

Commented:
Well, any network feature that is incorrectly configured is a security risk...

About the ring talk, see wikipedia
http://en.wikipedia.org/wiki/Ring_(computer_security)

Author

Commented:
Ahh thanks for the "ring" clarification. If he had just said kernel level privilges I would have better understood what he was talking about! haha I understand the technology and the concepts Im just horrible with all the "terminology."

Anyhow, to get back to the point. We are using low privilege domain accounts as for identity accounts in the application pools in IIS. These accounts have some rights usually on the box itself to read directories and such but otherwise are restricted in the domain. I understand the process of creating SPN's for service accounts, but I dont understand beyond the accounts configured access how it is possible that simply creating a SPN for an account gives that account "ring 0" priveleges. And if that was the case then why is this process so commonly documented without any warning or implication?

Stating that this is an incorrect use of this capability essentially implys that any access should be restricted to the web server itself. From a security perspective, I undersand that might be the safest way to server content. However one cannot imply that using domain accounts for application pools is incorrect, as it is a common and supported practice especially when used internally which is how we are currently utilizing it. So assuming that a domain account has no rights on the domain whatsoever other than on the box in which it is used, how would using an SPN pose a risk to the rest of the domain?
CERTIFIED EXPERT
Top Expert 2013
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION
Henrik JohanssonSystems engineer
Top Expert 2008
Commented:
Unlock this solution and get a sample of our free trial.
(No credit card required)
UNLOCK SOLUTION

Author

Commented:
Thank you all for your time... sorry I didnt close this question sooner.
Unlock the solution to this question.
Thanks for using Experts Exchange.

Please provide your email to receive a sample view!

*This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

OR

Please enter a first name

Please enter a last name

8+ characters (letters, numbers, and a symbol)

By clicking, you agree to the Terms of Use and Privacy Policy.