There is no reason for an Exchange related service account to be a member of privileged AD groups. Typically an Exchange service account for archiving Exchange mailboxes.Service accounts that backup anything other than AD or DCs does not require membership in the AD Backup Operators group.This is for more advanced restoration scenarios and AD backup accounts should only be a member of the Backup Operators group (not Domain Admins) to start. The caveat to this is that there are scenarios where a backup service account may require more rights than being a member of Backup Operators, such as when restoring user attributes in AD. These accounts should not require membership in Domain Admins. This group is specific to Active Directory and does not provide backup rights to other systems in the domain (default). Backing up AD (and/or Domain Controllers) only requires membership in the Backup Operators group in AD.Altiris/ADBackup/Backup/ BackupExec/ CommVault/NetBackup/etc.I thought it might be helpful for people or customer while designing service account privileges.Ĭommon Service Accounts in Domain Admins (or other AD Admin groups): Here I am just giving some bullet points after reading a fantastic article. We or customer never asked back the security flaws it may lead and what attackers can do with this level of service accounts. In most of the scenario I have observed when we talk about patch,backup,antivirus and all short of product vendor they asked for service accounts with Domain admin privileges.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |