Advertisement
Help Keep Boards Alive. Support us by going ad free today. See here: https://subscriptions.boards.ie/.
https://www.boards.ie/group/1878-subscribers-forum

Private Group for paid up members of Boards.ie. Join the club.
Hi all, please see this major site announcement: https://www.boards.ie/discussion/2058427594/boards-ie-2026

Minimum permissions needed to install Windows Updates across servers?

  • 11-04-2013 12:38PM
    #1
    RangeR
    Registered Users, Registered Users 2 Posts: 7,258 ✭✭✭


    Our IT Solutions provider is requiring Domain Admin privs to their remote management tool with the aim of deploying critical updates to our servers.

    Is there a lower permission set that I can grant to do the job?


Comments

  • #2
    BaconZombie
    Registered Users, Registered Users 2 Posts: 8,814 ✭✭✭BaconZombie


    DO NOT GIVE THEM DOMAIN ADMIN ACCESS!!!
    RangeR wrote: »
    Our IT Solutions provider is requiring Domain Admin privs to their remote management tool with the aim of deploying critical updates to our servers.

    Is there a lower permission set that I can grant to do the job?

    What are they using to deploy the updates?
    SCCM or something other?

    Setup a new ACL and add their Service account it to then make that account part of the Local Admin group on the Servers and Clients you want then to update.

    You can push the ACL updates via GPO.


    If they insist on Domain Admin Access get them to give you a VERY detail statement of work for each update.
    I would then get them to push the update only at a set time and have the account disable at all other times.


  • #3
    RangeR
    Registered Users, Registered Users 2 Posts: 7,258 ✭✭✭RangeR


    BaconZombie wrote: »
    DO NOT GIVE THEM DOMAIN ADMIN ACCESS!!!



    What are they using to deploy the updates?
    SCCM or something other?

    Setup a new ACL and add their Service account it to then make that account part of the Local Admin group on the Servers and Clients you want then to update.

    You can push the ACL updates via GPO.


    If they insist on Domain Admin Access get them to give you a VERY detail statement of work for each update.
    I would then get them to push the update only at a set time and have the account disable at all other times.

    To be honest, it's more than just updates. It's remote monitoring of servers among other stuff. Agents installed on the servers. It's based on [or actually is] Kaseya

    I'll be honest, if they insist on Domain Admin, I'll be insisting that they remove their software. I'll find another solution.


  • #4
    kaisersoze
    Registered Users, Registered Users 2 Posts: 194 ✭✭kaisersoze


    Good article on min permissions to add server to domain, however, if there is an underlying issue of trust, you may need to look for someone else.

    http://social.technet.microsoft.com/Forums/en-US/windowsserver2008r2general/thread/639f2586-c0ec-40e4-83a9-5079ffb50c5b/


  • #5
    RangeR
    Registered Users, Registered Users 2 Posts: 7,258 ✭✭✭RangeR


    No underlying issue of trust, in so far as I don't trust anyone with my network :)
    Domain Admin shouldn't be handed out willy nilly [ever?!?].
    .


  • #6
    Mr. Fancypants
    Registered Users, Registered Users 2 Posts: 1,892 ✭✭✭Mr. Fancypants


    Ask them for documentation to back up that the Kaseya agent requires Domain Admin rights. It may well do. I work at an MSP who uses Level Platforms as their managed service platform as far as i know it requires Domain Admin credentials to work fully. You do need to have trust in your provider. You can mitigate it somewhat by ensuring you have the password changed regularly and have security auditing on to ensure the account isn't being abused.


  • Advertisement
  • #7
    Ctrl Alt Del
    Registered Users, Registered Users 2 Posts: 357 ✭✭Ctrl Alt Del


    mbroaders wrote: »
    Ask them for documentation to back up that the Kaseya agent requires Domain Admin rights. It may well do. I work at an MSP who uses Level Platforms as their managed service platform as far as i know it requires Domain Admin credentials to work fully. You do need to have trust in your provider. You can mitigate it somewhat by ensuring you have the password changed regularly and have security auditing on to ensure the account isn't being abused.


    No offense here to anyone,but...if you don't trust your IT managed/unmanaged solution provider,why do you have a relation with them !??
    If you don't trust them,then they are not your IT Support .And,i will not take as customer somebody that does not trust me either!

    Also,afaik,most IT solutions provider will setup by default as Domain Administrators and/or create a second login for redundancy or security reasons !!!

    Please correct me if I'm wrong !

    Regards


  • #8
    Mr. Fancypants
    Registered Users, Registered Users 2 Posts: 1,892 ✭✭✭Mr. Fancypants


    I agree, it is very important the trust is there but company policies do dictate what level of access third parties can have. This is more common in larger environments.
    Ctrl Alt Del wrote: »
    No offense here to anyone,but...if you don't trust your IT managed/unmanaged solution provider,why do you have a relation with them !??
    If you don't trust them,then they are not your IT Support .And,i will not take as customer somebody that does not trust me either!

    Also,afaik,most IT solutions provider will setup by default as Domain Administrators and/or create a second login for redundancy or security reasons !!!

    Please correct me if I'm wrong !

    Regards


Advertisement