5 Replies Latest reply on Oct 13, 2016 12:14 PM by foxblvd

    Least privilege for DSM service accounts?

    stephang Apprentice

      Hey there,

      we are using DSM since enteo Netinstall V6 and now upgraded to one of the newest version.

      Since i am responsible for the security in our environment i would like to ask what is the guideline for least privilege?

       

      I have 3 accounts as domain admins that are responsible for this product. I think this is way to much and i would like to reduce it to 0.

       

      Is this possible by maybe adding the run account via group policy to the clients local admin group?

       

      Best regards

      Stephan

        • 1. Re: Least privilege for DSM service accounts?
          markuszierer Apprentice

          Hi Stefan,

           

          the good news are, you do not need Domain Admin rights at all. In the past it was just easier (lazy Admins...) to give domain admin rights to the dsm accounts. But this is not necessary. It's enough to make sure the runtime service and the SIS are having administrative permissions on a client.

          I personally prefer to use the GPO Settings "Restricted Groups" for this purpose. When you use it, every time the GPO is applied to the client, the Group Membership settings as specified in the GPO are applied to the client. To be more precise: All existing Group Memberships will be replaced by the setting in the GPO. This means, even if somebody was able to add his account to the local administrators group, it will be thrown out upon next GPO apply.

           

          For me this is a good solution, but there are also different way's to accomplish that.

          1 of 1 people found this helpful
          • 2. Re: Least privilege for DSM service accounts?
            Frank.Scholer Master

            Hi Stephan,

             

            three domain admin accounts is way too much! At maximum you should have one domain admin (the SIS account), but I would suggest you are leveraging group policy or group policy preferences to add the SIS account to all local administrator-groups on the managed systems.

             

            Also have a look in the online-help. The chapter "Security Concept and Permissions › Security Concept" describes a configuration option called "Zero Account Model" which is the recommended option for running DSM in domain environments from a security point of view. You'll have to check, if your packages are executing successfully, when activating that option though as the service installer has no longer access to external ressources...

             

            HTH, regards

            Frank

            1 of 1 people found this helpful
            • 3. Re: Least privilege for DSM service accounts?
              stephang Apprentice

              Thank you for your suggestions. I will test it out.

              Great that there is also a help for that.

               

              With external resources you mean like fileshares that may be accessible with domain admin rights but not with local admin rights?

               

              Best regards

              Stephan

              • 4. Re: Least privilege for DSM service accounts?
                Frank.Scholer Master

                Hi Stephan,

                yes, with external ressources I mean for example file shares on the LAN. The local system account doesn't have access to any network ressource, so you'll have to incorporate all needed sources into the package directory so it get's staged in the local repository cache (and the service installer can access it there)...

                HTH, Frank

                • 5. Re: Least privilege for DSM service accounts?
                  foxblvd Apprentice

                  Extern$ for the win.