Thursday, December 9, 2010

Old Topic / New Thoughts: Special User Accounts

You have scheduled tasks and services running around like 3-legged blind cats with collars made of catnip.  They've been drinking Red Bull all day also.  Not good.  Now one of the suits walks in with a folded up magazine about "Cutting Edge IT" he lifted from the seat pocket on his red-eye flight from Vegas.  He says: "You boyz, listen up! I read that you best be a-changin them there passwords on them there service accounts.  Y'all hear?!"  And after a short pause with no sound, you all start back to work as if he never entered the room.

Ok, I needed a mental break.  On to something more serious:

You changed a password and now shit is breaking.  Or even more tedious is that the account keeps getting locked because something out there in the depths of space is still trying to use it and getting the gas-face from AD.  You could start the manhunt for where the problems are coming from.  You can query AD for which DC handled the offending request that locked the account.  You can query all computers in the Forest or Domain for scheduled tasks, services, DSNs, auto-runs, and so on.  Fear not there are three easy "options" to mitigate this crap:

1. Create a new account.  Disable the old account

2. Restrict the account to only specific computers

3. Use machine accounts (aka "SYSTEM")

I prefer option 3 for everything.  Like killing ants with a Gatling-style howitzer.  But that's just me.  As for option 1, it'll leave a mess behind, that's for sure.  But the problem will eventually be solved.  However, it will only work its way out if you combine it with option 2.

Option 2 is really what you should have been doing all along.  A funny little trick we used to do waaaay back to **** with co-workers was to get on our computers in the morning, and enter the user ID for the co-worker and fat-finger the password (intentionally) enough times to lock the account.  Then chuckle, sip some coffee and log in normally and wait for the yelling from across the room.  Good times. 

Funny: maybe (to me it was), but this is actually a serious problem.  A very serious problem. It means with a casual query of AD (very simple for any user to do) I can guess some of the critical account names and intentially lock them and disrupt business processes.  This is kind of like that guy in the new All State commercials with the band-aid on his face going around causing problems like Mr. Murphy himself.  Option 2 above helps mitigate this vulnerability from being exploited and hitting your sensitive operations accounts.

Option 3 not only mitigates a sneaky prank attack like that described above, but it also removes the need to monkey with stupid passwords.  I mean - seriously - this is 2010 and we're STILL having to stop everything to change passwords - modify scheduled jobs - edit config files and DSN's - fix Dr. Asswipe's PHd hard-coded stupid-ass application (the guy in accounting who insists on writing his own apps and smokes a pipe, you know the guy), and STILL get any work done?  Seriously?!  We've gone NOWHERE.  Our forefathers would be crying in their colonial beer mugs.

No comments: