Still celebrating National IT Professionals Day with 3 months of free Premium Membership. Use Code ITDAY17

x
?
Solved

Group Policy security best practice for service account used by Account auditing tool ?

Posted on 2016-08-29
4
Medium Priority
?
51 Views
Last Modified: 2016-10-16
People,

I'm using Netwrix ALE: https://www.netwrix.com/account_lockout_examiner.html freeware to get some report about the locked account in my AD domain.

But the problem is that due to PCI compliance, I cannot put the service accoutn which is used by the service as the member of the DOMAIN\Administrator group, and also cannot be member for all Computer and Server Local Administrator group either ?

So can anyone here please share some thought and comments of how it is best to secure this type of service account while maintaining its functions ?

Thanks.

According to this guide: https://www.netwrix.com/download/documents/Netwrix_Account_Lockout_Examiner_Administrator_Guide.pdf
it requires at least local administraor to audit security log & event ?
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 37

Accepted Solution

by:
bbao earned 2000 total points
ID: 41775833
basically, as always, the principle of least privilege applies.

per the instruction on page 8 regarding service account's requirement, it "'must be a member of the Domain Admins group in all managed domains, OR have" five given rights, you got two choices: domain admin or a specific user with customised rights.

therefore you may create a user to meet the five rules. be aware the LOCAL administrator right is a MUST for client workstation, this seems to be uncompromised.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41775839
Ah I see,

So according to the page 8, I do not have any other choice than to give the Local Administrators group member for all Servers & Computers in the domain.
0
 
LVL 37

Expert Comment

by:bbao
ID: 41775845
correct.
0

Featured Post

Moving data to the cloud? Find out if you’re ready

Before moving to the cloud, it is important to carefully define your db needs, plan for the migration & understand prod. environment. This wp explains how to define what you need from a cloud provider, plan for the migration & what putting a cloud solution into practice entails.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Wouldn't it be nice if objects in Active Directory automatically moved into the correct Organizational Units? This is what AutoAD aims to do and as a plus, it automatically creates Sites, Subnets, and Organizational Units.
What we learned in Webroot's webinar on multi-vector protection.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Attackers love to prey on accounts that have privileges. Reducing privileged accounts and protecting privileged accounts therefore is paramount. Users, groups, and service accounts need to be protected to help protect the entire Active Directory …

704 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question