How do I know my domain admin credentials are safe?

Comments

3 comments

  • Stephen Valdinger

    Don't deploy with your domain admin credentials. In fact, you should never really need domain admin credentials for anything rather than logging into a DC. 

    We push software with the local administrator account configured as the deployment user. 

    You could also create a service account and use that. Use a schedule to update your password for whatever account you use, so it's not just "set it and forget it" when it comes to machine security.

    1
    Comment actions Permalink
  • Brigg Angus

    Security is, has been, and will continue to be a primary focus of our software.

    We secure and encrypt credentials with three keys using 256-bit AES encryption: one is located in the registry, the other two are in the database itself. The registry key is unique and generated by the machine at install and tied to the other keys. They are not transmitted outside of PDQ.

    The traffic containing credential information within your network is also encrypted using the same security as Windows SMB (File & Printer Sharing), which uses user-level and share-level authentication (challenge/response). All credentials are encrypted before being sent over the wire.

    0
    Comment actions Permalink
  • Joe Stern

    Stephen Valdinger (comment above) is right -- the domain admin account has extra privileges that can really cause havoc should they be intercepted, and therefore it should not be used outside of logging into a domain controller. 

    You can create a domain group called Local Admins, and assign members of that group to the Local Administrator group of each desktop using GP. Create a new user account (Contoso\PDQguy) and make it a member of the Local Admins group. Now you can use that account for PDQ tasks, and it will have local administrator privileges on all the desktops but not be able to create accounts or other dangerous AD tasks. Stephen used the phrase "service account" which should not be confused with "Managed Service Account" or "Group Managed Service Account". In this case, it just means an account not associated with a human. 

    As Stephen also hinted, it would be wise not to set the service account password not to expire. Change it every 90 days. 

    1
    Comment actions Permalink

Please sign in to leave a comment.