Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

Minimum permissions needed to install Windows Updates across servers?

Options
  • 11-04-2013 1:38pm
    #1
    RangeR
    Registered Users Posts: 7,265 ✭✭✭


    Our IT Solutions provider is requiring Domain Admin privs to their remote management tool with the aim of deploying critical updates to our servers.

    Is there a lower permission set that I can grant to do the job?


Comments

  • Options
    #2
    BaconZombie
    Registered Users Posts: 8,811 ✭✭✭BaconZombie


    DO NOT GIVE THEM DOMAIN ADMIN ACCESS!!!
    RangeR wrote: »
    Our IT Solutions provider is requiring Domain Admin privs to their remote management tool with the aim of deploying critical updates to our servers.

    Is there a lower permission set that I can grant to do the job?

    What are they using to deploy the updates?
    SCCM or something other?

    Setup a new ACL and add their Service account it to then make that account part of the Local Admin group on the Servers and Clients you want then to update.

    You can push the ACL updates via GPO.


    If they insist on Domain Admin Access get them to give you a VERY detail statement of work for each update.
    I would then get them to push the update only at a set time and have the account disable at all other times.


  • Options
    #3
    RangeR
    Registered Users Posts: 7,265 ✭✭✭RangeR


    BaconZombie wrote: »
    DO NOT GIVE THEM DOMAIN ADMIN ACCESS!!!



    What are they using to deploy the updates?
    SCCM or something other?

    Setup a new ACL and add their Service account it to then make that account part of the Local Admin group on the Servers and Clients you want then to update.

    You can push the ACL updates via GPO.


    If they insist on Domain Admin Access get them to give you a VERY detail statement of work for each update.
    I would then get them to push the update only at a set time and have the account disable at all other times.

    To be honest, it's more than just updates. It's remote monitoring of servers among other stuff. Agents installed on the servers. It's based on [or actually is] Kaseya

    I'll be honest, if they insist on Domain Admin, I'll be insisting that they remove their software. I'll find another solution.


  • Options
    #4
    kaisersoze
    Registered Users Posts: 193 ✭✭kaisersoze


    Good article on min permissions to add server to domain, however, if there is an underlying issue of trust, you may need to look for someone else.

    http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/639f2586-c0ec-40e4-83a9-5079ffb50c5b/


  • Options
    #5
    RangeR
    Registered Users Posts: 7,265 ✭✭✭RangeR


    No underlying issue of trust, in so far as I don't trust anyone with my network :)
    Domain Admin shouldn't be handed out willy nilly [ever?!?].
    .


  • Options
    #6
    Mr. Fancypants
    Registered Users Posts: 1,892 ✭✭✭Mr. Fancypants


    Ask them for documentation to back up that the Kaseya agent requires Domain Admin rights. It may well do. I work at an MSP who uses Level Platforms as their managed service platform as far as i know it requires Domain Admin credentials to work fully. You do need to have trust in your provider. You can mitigate it somewhat by ensuring you have the password changed regularly and have security auditing on to ensure the account isn't being abused.


  • Advertisement
  • Options
    #7
    Ctrl Alt Del
    Registered Users Posts: 357 ✭✭Ctrl Alt Del


    mbroaders wrote: »
    Ask them for documentation to back up that the Kaseya agent requires Domain Admin rights. It may well do. I work at an MSP who uses Level Platforms as their managed service platform as far as i know it requires Domain Admin credentials to work fully. You do need to have trust in your provider. You can mitigate it somewhat by ensuring you have the password changed regularly and have security auditing on to ensure the account isn't being abused.


    No offense here to anyone,but...if you don't trust your IT managed/unmanaged solution provider,why do you have a relation with them !??
    If you don't trust them,then they are not your IT Support .And,i will not take as customer somebody that does not trust me either!

    Also,afaik,most IT solutions provider will setup by default as Domain Administrators and/or create a second login for redundancy or security reasons !!!

    Please correct me if I'm wrong !

    Regards


  • Options
    #8
    Mr. Fancypants
    Registered Users Posts: 1,892 ✭✭✭Mr. Fancypants


    I agree, it is very important the trust is there but company policies do dictate what level of access third parties can have. This is more common in larger environments.
    Ctrl Alt Del wrote: »
    No offense here to anyone,but...if you don't trust your IT managed/unmanaged solution provider,why do you have a relation with them !??
    If you don't trust them,then they are not your IT Support .And,i will not take as customer somebody that does not trust me either!

    Also,afaik,most IT solutions provider will setup by default as Domain Administrators and/or create a second login for redundancy or security reasons !!!

    Please correct me if I'm wrong !

    Regards


Advertisement