Forum Discussion

Barb's avatar
Barb
Icon for Advisor rankAdvisor
10 months ago
Solved

Least Privilege's script to set permissions on Services for Non Admin account.

With the new security push for us to use non admin accounts. If anyone would like I to have a script that can run on Domain and one for Workgroup Servers. That iterates though all services and applies correct SDDL for least privilege's account. Extract these to c:/temp, add your list of servers (or for the workgroup add the single server to the serverlist.txt) and then run the RunScript.ps1

You'll need a local admin account to run with for Workgroup Server

You'll need a DA account to run for list of Domain Servers.

 

PM me if you are interested ;)

  • Barb's avatar
    Barb
    9 months ago

    Hi Suzanne its a one time process. Anytime you provision a new server thou it will need to be run as part of your provision process.

5 Replies

  • Barb's avatar
    Barb
    Icon for Advisor rankAdvisor
    9 months ago

    Hi Suzanne its a one time process. Anytime you provision a new server thou it will need to be run as part of your provision process.

  • Cole_McDonald's avatar
    Cole_McDonald
    Icon for Professor rankProfessor
    9 months ago

    Morning folks... I'm at the beginning of a new deployment and am with an MSP... so we're about to deploy exactly this at scale.  We're avoiding local admin as well and are working out how to get WMI to respond correctly without granting full access to every machine.

    A primary reason domain admin is such a security risk is that it grants local admin through group memberships to every machine.  Having that happen manually seems to undermine the initiative of "least" privilege, so we're pushing through the effort of finding the correct and reproducible way to grant read access to WMI without having to resort to any manual processes.

    I potentially have a few thousand of these to do since we have to make changes to every device we're bringing into our fresh portal.  Ideally, I'd like to find a way to be able to push this from the LM interface itself once the collector is setup in the environment.  Not sure how I'm going to implement that yet, but with the service itself running under a "just enough access" cred, will probably need it to access a domain admin account just for this effort.

    In the past, I've used property sources to use as scheduled task types of scripts... they don't need to pull any metrics, and can just write a status update into a property on each device once completed.  I'll most likely deploy this way once we figure out the magic sauce for the WMI class access without having to manually open XP era admin tools.

  • Cole_McDonald's avatar
    Cole_McDonald
    Icon for Professor rankProfessor
    9 months ago

    I should also add... we're trying to avoid anything that isn't manageable via domain group memberships... so we'll need to have any changes to access locally happen via a domain level group... that way, new deployments will be identical from customer environment to customer environment regardless account naming conventions or varying customer requirements for such things.

  • SuzanneShaw's avatar
    SuzanneShaw
    Icon for Community Manager rankCommunity Manager
    9 months ago

    Barb, this is super helpful insight. How often do you find you need to do this?   Like is this a one-time process, or is it something you have to repeat?

    • Cole_McDonald's avatar
      Cole_McDonald
      Icon for Professor rankProfessor
      8 months ago

      Based on how the script from LM works... any new software that runs from a service that needs to be monitored will need the SDDL applied to it as well... so we have a version of our final script in our RMM that runs and searches for Services that don't match the SDDL, and adding it for them.