Remove From My Forums

Run As Account security

Question
0

Sign in to vote

Hi,

a point in the docs i never understood is this: "If Operations Manager were to automatically distribute the credentials to all agent managed computers that have been identified as SQL Server 2005 computers, the credentials would be sent to the imposter SQL Server and they would be available to anyone with administrator rights on that server."

Why is that? How are the credentials stored and how would an local admin be able to use them?

Alex

Friday, August 21, 2009 12:20 PM

Answers

0

Sign in to vote
If there is a workflow that use a run as account run on an agent then the RunAs account credentials will be loaded on to that agent machine. The information is saved in a secure storage, which an administrator on the local machine can get access to through programatic means. So basically you have to have a trusted computer running the agent, and a malicious administrator who is attempting to steal the information.

Your protections are deploy agents to trusted machines, watch for workflow errors which may indicate a malicious person attempting to trick the agent in to discovering a local application that doesn't exist, and don't download the runas profile to all machines but to the machines that you trust. As Pete says you can opt to only deploy the runas account credentials to a group of machines you trust, for instance create a group "Protected SQL Servers", add the necessary computers that should be running the SQL System using the run as account to that group, and then only send the Run As account to those servers.
Thanks, Steven ___________________________________________________________ This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm
- Proposed as answer by Pete Zerger - MVPMVP Friday, August 28, 2009 5:41 PM
- Marked as answer by a.schmitt Monday, August 31, 2009 8:20 AM
Friday, August 28, 2009 4:18 PM

All replies

0

Sign in to vote

no one?

Tuesday, August 25, 2009 10:08 AM
0

Sign in to vote
Since mutual authentication is required between Opsmgr servers (MS, RMS, GW) and the agents they manage, and manual ageent installs are rejected by default, the "imposter server" you mention would require you as an administrator to lower security to allow this to happen. As long as you set manual agent installs to 'review', you should have nothing to worry about.

Amongst your authorized agent-managed computers, you can control the distribution of RunAs credentials by instance or class.

Crendentials are encrypted in SQL and not persisted on the agent when they are not needed, so revealing RunAs credentials would pose a significant challange.

Pete Zerger, MVP-OpsMgr and SCE | http://www.systemcentercentral.com
- Proposed as answer by Pete Zerger - MVPMVP Friday, August 28, 2009 5:40 PM
Wednesday, August 26, 2009 3:59 AM
0

Sign in to vote

Hi,

so when the credentials are not persistant on an agent how could some adminstrator use them as mentioned in the documentation?

Alex

Friday, August 28, 2009 7:59 AM
0

Sign in to vote
If there is a workflow that use a run as account run on an agent then the RunAs account credentials will be loaded on to that agent machine. The information is saved in a secure storage, which an administrator on the local machine can get access to through programatic means. So basically you have to have a trusted computer running the agent, and a malicious administrator who is attempting to steal the information.

Your protections are deploy agents to trusted machines, watch for workflow errors which may indicate a malicious person attempting to trick the agent in to discovering a local application that doesn't exist, and don't download the runas profile to all machines but to the machines that you trust. As Pete says you can opt to only deploy the runas account credentials to a group of machines you trust, for instance create a group "Protected SQL Servers", add the necessary computers that should be running the SQL System using the run as account to that group, and then only send the Run As account to those servers.
Thanks, Steven ___________________________________________________________ This posting is provided "AS IS" with no warranties, and confers no rights. Use of included script samples are subject to the terms specified at http://www.microsoft.com/info/cpyright.htm
- Proposed as answer by Pete Zerger - MVPMVP Friday, August 28, 2009 5:41 PM
- Marked as answer by a.schmitt Monday, August 31, 2009 8:20 AM
Friday, August 28, 2009 4:18 PM
0

Sign in to vote

Hi,

the documentation sounds like every administrator could easily use these credentials, thanks for the clarification

Alex

Monday, August 31, 2009 8:20 AM

Products

Resources

Solutions

Updates

Trials

Related Sites

Training

Certifications

Other resources

Support options

More support

Not an IT pro?

Answered by:

Run As Account security

Question

Answers

All replies