One of the security challenges for critical network applications such as Exchange and IIS is selecting the appropriate type of account for the application to use.
On a local computer, an administrator can configure the application to run as Local Service, Network Service, or Local System. These service accounts are simple to configure and use but are typically shared among multiple applications and services and cannot be managed on a domain level.
If you configure the application to use a domain account, you can isolate the privileges for the application, but you need to manually manage passwords or create a custom solution for managing these passwords. Many SQL Server and IIS applications use this strategy to enhance security, but at a cost of additional administration and complexity.
In these deployments, service administrators spend a considerable amount of time in maintenance tasks such as managing service passwords and service principal names (SPNs), which are required for Kerberos authentication. In addition, these maintenance tasks can disrupt service.
What's new in service accounts?
Two new types of service account available in Windows Server 2008 R2 and Windows 7—the managed service account and the virtual account. The managed service account is designed to provide crucial applications such as SQL Server and Internet Information Services (IIS) with the isolation of their own domain accounts, while eliminating the need for an administrator to manually administer the service principal name (SPN) and credentials for these accounts.
Virtual accounts in Windows Server 2008 R2 and Windows7 are “managed local accounts” that can use a computer’s credentials to access network resources.
Who will want to use managed service accounts?
The managed service account and the virtual account are designed to provide crucial applications such as SQL Server or IIS with the isolation of their own accounts, while eliminating the need for an administrator to manually administer the SPN and credentials for these accounts.
Administrators will want to use managed service accounts to enhance security while simplifying or eliminating the following service administration tasks:
Password management
SPN management
Virtual accounts provide the following features that simplify service administration by:
Eliminating password management
Allowing services to access the network with the computer’s account credentials in a domain environment
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment