none
Shared Local Account vs Shared Domain Account for Type-2 Interactive Logon?

    שאלה

  • As ideally, surely it is best to use individual accounts over shared generic accounts whenever possible for authentication.  The environment I have inherited contains instrumentation, manufacturing, scales, and research equipment controlled by specialized software used by multiple users to export test results for specific quality control components.   

    If a shared account had to be used for operational purposes and the machine is attached to an Active Directory Domain for patching. Which would be the preferable option to using a shared local account or shared domain account for authentication?  Which would be the lesser of two evils? What are some of the pros and cons of each outside of individual accounts are the way to go in an enterprise environment? 

    Extra note, if a shared domain account is preferable, I am going to lock the machines down with group policies, app locker, domain account only can log in to the restricted PCs during business hours.

    יום חמישי 12 יולי 2018 01:43

תשובות

  • Ok so you will need to use shared domain account even if you already know that it is bad :(

    The main advantage of using local shared account is that if for any reason this account is compromised it will only be local to the computer.

    The cons of using local shared account is that it will be difficult to access network resources.

    Regarding your extra note it's a step you should take in order for you to secure the access. Also make sure that regarding network access the shared domain user and the group to which it belong don't give right any extra right on the domain and particularly the domain controller

    Best Regards,

    • סומן כתשובה על-ידי Bubby10 יום חמישי 12 יולי 2018 12:25
    יום חמישי 12 יולי 2018 11:58

כל התגובות

  • Hello,

    Your operation guys will be accessing resource in the domain or only local ?

    Best Regards,

    יום חמישי 12 יולי 2018 08:16
  • Both, for example, one computer maybe hooked to an industrial floor scale and camera.  This end-user device will measure the weight and dimensions of a crate on an assembly line but need to print labels and log the data to a corporate server. 

    The second example could be that rotating workers have a computer attached to a microscope to run sample products through to log quality control defects for data analysis.  But need access to backup the local data, print, adhere to company endpoint policies, etc...

    They will sometimes need to access archival data records from an onsite data store. This involves several hundred end-user devices as well.  

    Hopefully, that can give you more insight. Thanks


     
    יום חמישי 12 יולי 2018 10:48
  • Ok so you will need to use shared domain account even if you already know that it is bad :(

    The main advantage of using local shared account is that if for any reason this account is compromised it will only be local to the computer.

    The cons of using local shared account is that it will be difficult to access network resources.

    Regarding your extra note it's a step you should take in order for you to secure the access. Also make sure that regarding network access the shared domain user and the group to which it belong don't give right any extra right on the domain and particularly the domain controller

    Best Regards,

    • סומן כתשובה על-ידי Bubby10 יום חמישי 12 יולי 2018 12:25
    יום חמישי 12 יולי 2018 11:58
  • Thanks, Dokoh your input has been very helpful.
    יום חמישי 12 יולי 2018 12:28