Find Resources and Connect with members on topics that interest you.

AI - Acquire and Implement

PO - Plan and Organize

DS - Deliver and Support

Please sign in to see your topics.

Subscribe to this discussion

Domain Admin Account Testing

I am testing users with access to Domain Account. Since it is a shared account I am asking who has the knowledge of the user account and password. Is there any other way to test this? Is there any report that we could pull that would show the people using the account? Thank you.
You must sign in to rate content.
(Unrated)

Comments

RE: Domain Admin Account Testing

You will have to do some event correlation. IF you have a shared account the account will have a specific name so no obvious way to associate it with a particular user. It can be done by running reports from a SIEM.

For example, if Mary Smith is logged onto a windows desktop with an IP address of 192.168.1.22 and from there accesses a server with the shared domain account OurDomainAdmin, an event similar to the following will be created:

Source: 192.168.1.22
Destination: some server
Account: OurDomainAdmin
LogonType: (this will be a Microsoft EventID associated with network logon events... NOT a local logon)


Now for the event correlation... when you map Mary Smith's LOCAL logon / logoff time to a time range that fits with the network logon.

This will provide reasonable assurance that the logon occurred from Mary Smith's computer. However, even this does not provide assurance that it was Mary Smith at the keyboard.

RKinNCObserver at 8/15/2013 10:49:34 AM Quote
You must sign in to rate content.
(1 ratings)

RE: Domain Admin Account Testing

Good Solution.
Gopichand PLively at 8/16/2014 5:14:03 AM Quote
You must sign in to rate content.
(Unrated)

RE: Domain Admin Account Testing

The challenge is to establish an accountability with shared user account and password. The best way to overcome with this challenge is to create a separate account with users last name for Domain Account activity.
Hrishikesh490Lively at 2/11/2015 2:23:22 AM Quote
You must sign in to rate content.
(Unrated)

RE: Domain Admin Account Testing

The challenge is to establish an accountability with shared user account and password. The best way to overcome with this challenge is to create a separate account with users last name for Domain Account activity.
Hrishikesh490Lively at 2/11/2015 2:23:22 AM Quote
You must sign in to rate content.
(Unrated)

RE: Domain Admin Account Testing

Good Solution.
Gopichand PLively at 8/16/2014 5:14:03 AM Quote
You must sign in to rate content.
(Unrated)

RE: Domain Admin Account Testing

You will have to do some event correlation. IF you have a shared account the account will have a specific name so no obvious way to associate it with a particular user. It can be done by running reports from a SIEM.

For example, if Mary Smith is logged onto a windows desktop with an IP address of 192.168.1.22 and from there accesses a server with the shared domain account OurDomainAdmin, an event similar to the following will be created:

Source: 192.168.1.22
Destination: some server
Account: OurDomainAdmin
LogonType: (this will be a Microsoft EventID associated with network logon events... NOT a local logon)


Now for the event correlation... when you map Mary Smith's LOCAL logon / logoff time to a time range that fits with the network logon.

This will provide reasonable assurance that the logon occurred from Mary Smith's computer. However, even this does not provide assurance that it was Mary Smith at the keyboard.

RKinNCObserver at 8/15/2013 10:49:34 AM Quote
You must sign in to rate content.
(1 ratings)

RE: Domain Admin Account Testing

You will have to do some event correlation. IF you have a shared account the account will have a specific name so no obvious way to associate it with a particular user. It can be done by running reports from a SIEM.

For example, if Mary Smith is logged onto a windows desktop with an IP address of 192.168.1.22 and from there accesses a server with the shared domain account OurDomainAdmin, an event similar to the following will be created:

Source: 192.168.1.22
Destination: some server
Account: OurDomainAdmin
LogonType: (this will be a Microsoft EventID associated with network logon events... NOT a local logon)


Now for the event correlation... when you map Mary Smith's LOCAL logon / logoff time to a time range that fits with the network logon.

This will provide reasonable assurance that the logon occurred from Mary Smith's computer. However, even this does not provide assurance that it was Mary Smith at the keyboard.

RKinNCObserver at 8/15/2013 10:49:34 AM Quote
You must sign in to rate content.
(1 ratings)

RE: Domain Admin Account Testing

Good Solution.
Gopichand PLively at 8/16/2014 5:14:03 AM Quote
You must sign in to rate content.
(Unrated)

RE: Domain Admin Account Testing

The challenge is to establish an accountability with shared user account and password. The best way to overcome with this challenge is to create a separate account with users last name for Domain Account activity.
Hrishikesh490Lively at 2/11/2015 2:23:22 AM Quote
You must sign in to rate content.
(Unrated)

Leave a Comment

* required

You must login to leave a comment.