Options

domain account vs local account for services

datchchadatchcha Member Posts: 265
What is the general rule with services that require elevated rights? should i make specilized domain accounts or should i create a local account and use that?

I feel like i should create a domain account so i can control the account from a centralized location, in case if i have to change teh password incase the account is compromized for some reasonl. I could be wrong in my thinking.

thank you,
Arrakis

Comments

  • Options
    RTmarcRTmarc Member Posts: 1,082 ■■■□□□□□□□
    Domain Account should be used in nearly every situation unless you just absolutely can't do so. There are a laundry list of reasons not to use local; many of which are security related.

    I typically use a random password generator and stored the password in a 256bit AES encrypted file.
  • Options
    datchchadatchcha Member Posts: 265
    RTmarc wrote:
    Domain Account should be used in nearly every situation unless you just absolutely can't do so. There are a laundry list of reasons not to use local; many of which are security related.

    I typically use a random password generator and stored the password in a 256bit AES encrypted file.
    thanks...so i was thinking in the right direction.
    Arrakis
  • Options
    royalroyal Member Posts: 3,352 ■■■■□□□□□□
    One thing to keep in mind is that some services will utilize Kerberos and if you use a Domain Services account, you "may" need to register your SPN correctly. The reason is if a services account does not have administrator privileges, it won't register its SPN. Take for instance, SQL. If you use a domain services account that is not a domain admin, you'll have to register the SPN on the user account to use MSSSQLSVR on port 1433 to allow for remote authentication. If the services account is a domain admin (don't do this!!!!), you won't have to manually register the SPN.
    “For success, attitude is equally as important as ability.” - Harry F. Banks
  • Options
    datchchadatchcha Member Posts: 265
    royal wrote:
    One thing to keep in mind is that some services will utilize Kerberos and if you use a Domain Services account, you "may" need to register your SPN correctly. The reason is if a services account does not have administrator privileges, it won't register its SPN. Take for instance, SQL. If you use a domain services account that is not a domain admin, you'll have to register the SPN on the user account to use MSSSQLSVR on port 1433 to allow for remote authentication. If the services account is a domain admin (don't do this!!!!), you won't have to manually register the SPN.
    I totally forgot about that - i do remember reading something along these lines. Thank you for bringing that up. I a network engineer, which has been forced to do system administration...

    thanks again.
    Arrakis
Sign In or Register to comment.