The company I work for is currently going undertaking a project to remediate (am
ID: 656964 • Letter: T
Question
The company I work for is currently going undertaking a project to remediate (among other things) a pen-test finding that a privileged domain-level account (which was compromised by the pen-testers during the audit) was being used for multiple maintenance and development tasks in production. Currently, we're trying to discourage the use of this account and break its functionality out into separate service accounts. We're getting especially firm push-back from the DBA group on the topic of trying to discourage its use in installing SQL Server patches.
So far, I haven't been able to find any guidance specific to accounts when it comes to "best practices" for installing patches so I was wondering if anyone had any first-hand knowledge or a good starting point on where to look. Thanks
What account should be used to install SQL Server 2008 patches?
Explanation / Answer
As you mention a previous pentester compromised the domain-admin account. Once this happens pretty much the entire network is owned by the attacker.
This is part of the reason you should be careful using a domain-admin account to do patch management. If you issue remote commands via PSExec, RunAs, RDP etc then a token is left on that remote system. If that remote system becomes compromised (and the attacker is now a local admin) the attacker will want to elevate his influence on the entire network. If a domain-admin account was used for remote patching then privilege escalation can be accomplished via token-stealing. Metasploit even has a nice and easy module for this. And now the attacker is a domain-admin.