Solved

Group Policy security best practice for service account used by Account auditing tool ?

Posted on 2016-08-29
4
37 Views
Last Modified: 2016-10-16
People,

I'm using Netwrix ALE: https://www.netwrix.com/account_lockout_examiner.html freeware to get some report about the locked account in my AD domain.

But the problem is that due to PCI compliance, I cannot put the service accoutn which is used by the service as the member of the DOMAIN\Administrator group, and also cannot be member for all Computer and Server Local Administrator group either ?

So can anyone here please share some thought and comments of how it is best to secure this type of service account while maintaining its functions ?

Thanks.

According to this guide: https://www.netwrix.com/download/documents/Netwrix_Account_Lockout_Examiner_Administrator_Guide.pdf
it requires at least local administraor to audit security log & event ?
0
Comment
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
4 Comments
 
LVL 37

Accepted Solution

by:
bbao earned 500 total points
ID: 41775833
basically, as always, the principle of least privilege applies.

per the instruction on page 8 regarding service account's requirement, it "'must be a member of the Domain Admins group in all managed domains, OR have" five given rights, you got two choices: domain admin or a specific user with customised rights.

therefore you may create a user to meet the five rules. be aware the LOCAL administrator right is a MUST for client workstation, this seems to be uncompromised.
0
 
LVL 8

Author Comment

by:Senior IT System Engineer
ID: 41775839
Ah I see,

So according to the page 8, I do not have any other choice than to give the Local Administrators group member for all Servers & Computers in the domain.
0
 
LVL 37

Expert Comment

by:bbao
ID: 41775845
correct.
0

Featured Post

Free Tool: Path Explorer

An intuitive utility to help find the CSS path to UI elements on a webpage. These paths are used frequently in a variety of front-end development and QA automation tasks.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Invest in your employees with these five simple steps to improve employee engagement and retention.
How many times a day do you open, acknowledge, or close an IT incident? What’s your process? Do you have a process depending on the incident, systems involved, and other factors? New Relic Alerts gives you options for how you interact with notifica…
Windows 10 is mostly good. However the one thing that annoys me is how many clicks you have to do to dial a VPN connection. You have to go to settings from the start menu, (2 clicks), Network and Internet (1 click), Click VPN (another click) then fi…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question