Solved

SPNs pose a security risk?

Posted on 2009-07-06
5
649 Views
Last Modified: 2013-12-04
So I was speaking with our "infrastructure guy" about implementing Service Principle Names for proper kerberos authentication with the identity pool accounts in some of or IIS websites. He starts rattling something off about SPN enabled accounts having "ring 0" access or something along those lines. Bascially some kind of low level OS access when used. Now, I understand what SPNs are and what they do but Ive never heard the "ring 0" reference used before and Im a bit confused as to what he is talking about in regards to SPNs somehow creating a security risk.

Confirm or disprove what he is saying? If he is correct, please explain to me hopefully with a little more detail why SPNs might pose a security risk. I see technet articles and such all over the place stating that this is a common and even best practice approach. But he's denying that based on his own "black hat" knowledge of active directory. Ive got nearly 10 years of experience with AD and I have never heard about SPNs being a security risk. Im not implying that I am correct, I simply would like to expand my knowledge if this is the case.
0
Comment
Question by:Zen_Dragon
  • 2
  • 2
5 Comments
 
LVL 31

Expert Comment

by:Henrik Johansson
ID: 24789442
Well, any network feature that is incorrectly configured is a security risk...

About the ring talk, see wikipedia
http://en.wikipedia.org/wiki/Ring_(computer_security)
0
 

Author Comment

by:Zen_Dragon
ID: 24789579
Ahh thanks for the "ring" clarification. If he had just said kernel level privilges I would have better understood what he was talking about! haha I understand the technology and the concepts Im just horrible with all the "terminology."

Anyhow, to get back to the point. We are using low privilege domain accounts as for identity accounts in the application pools in IIS. These accounts have some rights usually on the box itself to read directories and such but otherwise are restricted in the domain. I understand the process of creating SPN's for service accounts, but I dont understand beyond the accounts configured access how it is possible that simply creating a SPN for an account gives that account "ring 0" priveleges. And if that was the case then why is this process so commonly documented without any warning or implication?

Stating that this is an incorrect use of this capability essentially implys that any access should be restricted to the web server itself. From a security perspective, I undersand that might be the safest way to server content. However one cannot imply that using domain accounts for application pools is incorrect, as it is a common and supported practice especially when used internally which is how we are currently utilizing it. So assuming that a domain account has no rights on the domain whatsoever other than on the box in which it is used, how would using an SPN pose a risk to the rest of the domain?
0
 
LVL 57

Accepted Solution

by:
Mike Kline earned 250 total points
ID: 24790021
I'm not sure how the SPN would pose a risk and not sure what your infrastructure guy was talking about.  He may have been talking out of his ass
...like you said the account has no rights.  In that case you may even have to manually create the SPN.
I looked at a few well known security guides and they don't mention it either
http://iase.disa.mil/stigs/stig/active-directory-stig-v1r1.pdf
DISA Active Directory STIG
 http://www.microsoft.com/downloads/details.aspx?FamilyID=2eaa45c7-d936-413e-9586-a8bb6ff739d9&DisplayLang=en
Best Practice Guide for Securing Active Directory Installations
 
I'm guessing if you talk to this guy and ask for concrete examples he won't be able to give any and then he will just start spouting off about how Windows sucks and Linux "pwns":)
Thanks
Mike
0
 
LVL 31

Assisted Solution

by:Henrik Johansson
Henrik Johansson earned 250 total points
ID: 24794869
It sounds like you're aware of howto configure the permissions of the accounts with less privileges, and that shall be fine.
If service is run with administrator access on local server or domain, you have in any security perspective a big hole, but that isn't really a SPN problem.

I found this thread discussing SPNs being stated as a hole, but it's as I understand it the risk when server announces SPN on its own making it open for spoofing. If using service user accounts correctly, it shouldn't be the same risk.
http://mailman.mit.edu/pipermail/kerberos/2008-January/012869.html

As Mike said, ask the infrastructure for concrete examples about why service account SPNs shall be a big security risk when it's used to increase the security.

To mention upcoming features, 2008R2 will have Managed Service Accounts
http://technet.microsoft.com/en-us/library/dd367859(WS.10).aspx
0
 

Author Closing Comment

by:Zen_Dragon
ID: 31600351
Thank you all for your time... sorry I didnt close this question sooner.
0

Featured Post

Find Ransomware Secrets With All-Source Analysis

Ransomware has become a major concern for organizations; its prevalence has grown due to past successes achieved by threat actors. While each ransomware variant is different, we’ve seen some common tactics and trends used among the authors of the malware.

Join & Write a Comment

Users of Windows 10 Professional can disable automatic reboots using the policy editor. This tool is not included in the Windows home edition. But don't worry! Follow the instructions below to install (a Win7) policy editor on your Windows 10 Home e…
Restoring deleted objects in Active Directory has been a standard feature in Active Directory for many years, yet some admins may not know what is available.
This tutorial will walk an individual through the steps necessary to join and promote the first Windows Server 2012 domain controller into an Active Directory environment running on Windows Server 2008. Determine the location of the FSMO roles by lo…
This tutorial will walk an individual through the process of transferring the five major, necessary Active Directory Roles, commonly referred to as the FSMO roles to another domain controller. Log onto the new domain controller with a user account t…

706 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now