Forum: SuRun English speaking RSS
Surun account
geoholz #1
Member since Feb 2016 · 1 post
Group memberships: Mitglieder
Show profile · Link to this post
Subject: Surun account
Hello,

Is there a possibility to change the user account used by Surun ?

I want to use a domain account instead of local administrator account

Thanks
Kay (Administrator) #2
User title: Weltverbesserer
Member since Nov 2007 · 1507 posts · Location: Magdeburg
Group memberships: Administratoren, Mitglieder
Show profile · Link to this post
Hello geoholz,

using a domain admin account is not possible without modifying SuRun.

The SuRun service runs with "local system" credentials. Usually domain controllers don't trust local systems and deny adding domain users to the domain admins group.

When creating SuRun I thought that there's to much attack surface to safely use a domain admin account.

To use a domain admin account SuRun would have to:
-locally store domain admin credentials (insecure)
-logon the domain admin to get a token from the domain controller (the token could be sniffed)
-impersonate as the domain admin
-put the domain user into the domain admins group
-logon the user as domain admin to get another admin token (that could be sniffed)
-remove the user from the domain admin group (in the time, the last three steps would take, the user could logon as domain admin; also if one would cut the server connection, the user would become domain admin forever)

Cheers,

Kay
Close Smaller – Larger + Reply to this post:
Verification code: VeriCode Please enter the word from the image into the text field below. (Type the letters only, lower case is okay.)
Smileys: :-) ;-) :-D :-p :blush: :cool: :rolleyes: :huh: :-/ <_< :-( :'( :#: :scared: 8-( :nuts: :-O
Special characters:
Go to forum
Not logged in. · Lost password · Register
This board is powered by the Unclassified NewsBoard software, 20150713-dev, © 2003-2015 by Yves Goergen
Page created in 45.7 ms (13.8 ms) · 44 database queries in 9.5 ms
Current time: 2019-07-22, 16:30:24 (UTC +02:00)