Service Accounts A Secant Standards White Paper



Similar documents
Secure Configuration Guide

Virtual Code Authentication User s Guide. June 25, 2015

Symantec Backup Exec Management Plug-in for VMware User's Guide

Administration Guide

VMware vcenter Log Insight Security Guide

Quick Start Guide For Ipswitch Failover v9.0

Portal Administration. Administrator Guide

SECURITY DOCUMENT. BetterTranslationTechnology

GENEVA COLLEGE INFORMATION TECHNOLOGY SERVICES. Password POLICY

Server Installation ZENworks Mobile Management 2.7.x August 2013

Managing Users and Identity Stores

VMware vcenter Log Insight Security Guide

Electronic business conditions of use

SQL Server / Express 2008 Migration Frequently Asked Questions

Reconfiguration of VMware vcenter Update Manager

Use QNAP NAS for Backup

Keeping Tabs on the Top 5 Critical Changes in Active Directory with Netwrix Auditor

IP Addressing and VLAN Numbering A Secant Standards White Paper

MassTransit Leveraging MassTransit and Active Directory for Easier Account Provisioning and Management

HP LeftHand SAN Solutions

RealPresence Platform Director

Spector 360 Deployment Guide. Version 7.3 January 3, 2012

Training module 2 Installing VMware View

HP Intelligent Management Center v7.1 Virtualization Monitor Administrator Guide

VoipSwitch Security Audit

Leveraging MassTransit and Active Directory for Easier Account Provisioning and Management

Accops HyWorks v2.5. Quick Start Guide. Last Update: 4/18/2016

Upgrading Horizon Workspace

CCH Audit Automation. Version 4.4 Service Pack 2.1. Release Notes

HP IMC Firewall Manager

Reconfiguring VMware vsphere Update Manager

NetSupport DNA Configuration of Microsoft SQL Server Express

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

vcenter Configuration Manager Backup and Disaster Recovery Guide VCM 5.3

Veeam Task Manager for Hyper-V

Virtual Code Authentication User Guide for Administrators

Server Software Installation Guide

IIS, FTP Server and Windows

AESDIRECT ACCOUNT ADMINISTRATION USER GUIDE

SOA Software API Gateway Appliance 7.1.x Administration Guide

Information Technology Acceptable Use Policy

NetSupport DNA Configuration of Microsoft SQL Server Express

GRAVITYZONE HERE. Deployment Guide VLE Environment

Synchronization Agent Configuration Guide

INTEGRATION GUIDE. IDENTIKEY Federation Server for Juniper SSL-VPN

Password Management Guide

simplify printing TX Guide v. 1. make IT simple Tricerat, Inc Cronridge Drive Suite 100 Owings Mills, MD , All rights Reserved

Oracle Enterprise Manager

Management Pack for vrealize Infrastructure Navigator

Server-based Password Synchronization: Managing Multiple Passwords

Oracle Directory Services Integration with Database Enterprise User Security O R A C L E W H I T E P A P E R F E B R U A R Y

Reconfiguring VMware vsphere Update Manager

Migrating to vcloud Automation Center 6.1

Use of Commercial Backup Software with Juris (Juris 2.x w/msde)

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

VMware Software Manager - Download Service User's Guide

Security Guide for the BD Remote Instrument Support Solution BD Biosciences workstations

Connectivity to Polycom RealPresence Platform Source Data

Sophos Mobile Control SaaS startup guide. Product version: 6

An Oracle White Paper September Directory Services Integration with Database Enterprise User Security

Password regulations for Karolinska Institutet

Enroll a Windows Phone 8 Device

Logging In You must log in to the system before you can begin exchanging files with UMB. To log in to the system, follow the steps below.

Implementing Effective Backup Strategies For Disaster Recovery. Kurt Lamoreaux Consultant, Computer Networking

Kaseya 2. Quick Start Guide. for Network Monitor 4.1

Quick Start Guide for VMware and Windows 7

Sophos SafeGuard Native Device Encryption for Mac quick startup guide. Product version: 7

Technical Proposition. Security

Alert Notification of Critical Results (ANCR) Public Domain Deployment Instructions

MyLLP Customer Portal User Guide Registration

An Oracle White Paper June Security and the Oracle Database Cloud Service

Mobile Admin Architecture

Quest ChangeAuditor 4.8

DEPLOYMENT ROADMAP March 2015

SQL Server Hardening

Defender Delegated Administration. User Guide

VMware Identity Manager Administration

Centralized logging with alerts for Windows

VMware vcenter Configuration Manager Backup and Disaster Recovery Guide vcenter Configuration Manager 5.4.1

4cast Server Specification and Installation

Dell One Identity Cloud Access Manager Installation Guide

CHOOSING THE RIGHT PORTABLE SECURITY DEVICE. A guideline to help your organization chose the Best Secure USB device

Installation Quick Start SUSE Linux Enterprise Server 11 SP1

BlackBerry Enterprise Service 10. Universal Device Service Version: Administration Guide

Symantec Enterprise Security Manager Baseline Policy Manual for CIS Benchmark

How to Backup and Restore a VM using Veeam

Thinspace deskcloud. Quick Start Guide

THE OPEN UNIVERSITY OF TANZANIA

White Paper. BD Assurity Linc Software Security. Overview

INTEGRATION GUIDE. DIGIPASS Authentication for Juniper SSL-VPN

User-ID Configuration

Borderware MXtreme. Secure Gateway QuickStart Guide. Copyright 2005 CRYPTOCard Corporation All Rights Reserved

Oracle Enterprise Manager. Description. Versions Supported

Identity & Access Management in the Cloud: Fewer passwords, more productivity

Transcription:

Service Accounts A Secant Standards White Paper Publication No.:101 Version: 11/28/11

ABOUT STANDARDS Secant is pleased to publicly release several key technology standards for reference by our clients and their network engineers. Over many years in business, Secant s technical staff has worked to develop documents that we call Secant Standards. These are documents that describe best practices for the design, configuration, deployment and management of network technologies. Secant Standards are the results of many years of real-world experience and refinement. By employing these standards, organizations will benefit from the combined experience of the many individuals that have contributed to the standards over the years. We welcome your feedback, suggestions and questions about these standards documents at standards@secantcorp.com Secant Standards are frequently revised and updated. The latest versions can be downloaded from www.secantcorp.com/standards Copyright 2011 by Secant Technologies This white paper may be reproduced and distributed for non-commercial purposes. It must be reproduced in its entirety with this statement of copyright included.

Service Accounts OVERVIEW An account used by an application (rather than a user) can be referred to as a service account. Many network applications such as backup software require a saved set of credentials to run. This standard identifies best practices for creating, configuring, and documenting service accounts. APPROACH SECURITY Many applications require administrative level credentials to run, such as backup software. In order to ensure services run uninterrupted and still maintain the highest levels of security, service accounts should be configured with very strong passwords (that will not be susceptible to brute force attacks). These passwords should then be set to never expire (unless an automated password management solution is implemented) to avoid potential service disruptions. Consider the requirements of the service account carefully and factor in the principle of least privilege to determine whether the service account should be created locally on one or more systems or created in a directory service (such as Active Directory, edirectory, or Open Directory). If the service account requires access to the directory service, then it must be created in the directory. If the service account requires access to more than two systems (such as backup software that uses client agents), then the account should be created in the directory. If the service account requires access to two or less systems and does not need access to directory resources, then it is generally recommended to create the account locally. Remember also that if the service account is created in the directory, then the directory must be available for it to authenticate. When an outage occurs the startup order and network availability become important when a service account in the directory is used to start a service. If the directory is not accessible when the server starts, then the service will fail to start. Assign appropriate permissions to each service account by referring to the application's documentation for details on what privileges are required. FLEXIBILITY To ensure the highest levels of security, it is best practice to change user credentials on a regular basis. Changing passwords is especially important for built-in administrative level credentials because those accounts are the most frequently attacked. One barrier to changing administrative level credentials on built-in accounts on a regular basis however is the usage of those credentials within applications such as backup software or database software, etc. When administrative credentials are used in this way, changing the password to such an account can result in application failures, backup failures, and scheduled maintenance routine failures. Thus, it is best practice when configuring applications with saved credentials, to always use a designated service account rather than a built-in administrative level account. This ensures the flexibility of changing built-in administrative level passwords on a regular basis and on an as-needed basis without impacting network services. Service Accounts ~ November 2011 1

AUDITING To support detailed security auditing, it is recommended that each application that requires saved credentials be configured with its own set of credentials. Thus, for example, if a server shuts down for an unknown reason, then security logs can be examined to determine which account initiated the shut down and determine if it was initiated by a particular application. IMPLEMENTATION NAMING CONVENTION The service account naming convention for an application is svc-applicationname. For systems that do not support hyphens in the username, then omit the hyphen (example: svcapplicationname). Note that no spaces should be used in the username. If the service account is not being used by a specific application, then instead of applicationname, use a description of how the account is being used. For example, svc-sql1scripts. SERVICE ACCOUNT USERNAMES The following are recommended Service Account usernames for the specified applications. This is not a complete list by any means but does provide guidelines for some common applications. Application CA ARCserve Backup HP SIM Secant Email Defender Sophos Symantec Backup Exec Veeam Backup Vizioncore vranger VMware Capacity Planner VMware vcenter Service Account Username svc-arcserve svc-hpsim svc-defender svc-sophos svc-backupexec svc-veeam svc-vranger svc-cplanner svc-vcenter GROUP MEMBERSHIP Appropriate permissions should be assigned to each service account using group membership. Use the principle of least privilege to assign permissions. For example, if an application requires administrative level permissions on only one server, then assign administrative group membership on that server only. PASSWORDS Service account passwords must be strong passwords and must meet the following minimum requirements: 12 characters in length Three of the following four attributes Contains one or more lowercase alphabetic characters Service Accounts ~ November 2011 2

Contains one or more uppercase alphabetic characters Contains one or more number characters Contains one or more non-alphanumeric characters Passwords must not be composed of one or more dictionary words Passwords must be documented appropriately. Changing service account passwords every 18 to 24 months is recommended. Service Accounts ~ November 2011 3

6395 Technology Avenue Kalamazoo, Michigan 49009 269-375-8996 800-875-4222 269-375-4222 fax www.secantcorp.com While every precaution has been taken to ensure accuracy and completeness in this literature, Secant Technologies assumes no responsibility, and disclaims all liability for damages resulting from use of this information or for any errors or omissions. 2011 Secant Technologies. All rights reserved throughout the known universe. Specifications subject to change without notice.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information