Service Account Vulnerabilities

As an Information Security (IS) specialist, you may be called on by your employer's software application developers to secure an application. This may be a purchased product or a product developed in house. In either case, the earlier an IS specialist is involved in the process, the better since an IS specialist's goals for a product differ from the developers. The application developer's goal is to provide the customer with the product they want and this may mean purchasing or developing a product which has exceptions to your employer's security standards. The developer is most concerned about producing the expected product. An IS specialist is also concerned about producing the expected product, but, one which is within the employer's security standards. Involving an IS specialist early in a project may reduce or eliminate security vulnerabilities by influencing the purchase of a product or how an in-house product's security is designed. One security vulnerability which arises frequently in application software is the use of 'powerful' accounts to either run the application software service and/or to be used internally in the application to provide access to data. This paper discusses these special accounts as vulnerabilities in application security in the Microsoft NT/2000 environment.