Why the CyberQP Agent Requires Domain Admin Permissions and MSA Best Practices
This article provides a detailed explanation of why the CyberQP Agent requires Domain Admin permissions on Domain Controllers for full functionality, along with references to relevant Microsoft documentation on service account best practices.
Testing Local System Account Compatibility (Testing Phase)
While you can test if this configuration works for basic end-user functions, CyberQP strongly recommends against running the service as Local System due to the security risks associated with broad privileges and reduced auditing.
The Local System account has broad, non-auditable privileges on the local machine (equivalent to the operating system itself). While you can test if this configuration works for basic end-user functions, CyberQP strongly recommends against running the service as Local System due to the security risks associated with broad privileges and reduced auditing.
Verification and Testing Procedure
Before testing, you must first verify or change the service account configured for the CyberQP Agent service on the Domain Controller.
-
Verify/Change the Service Account:
Open the Services snap-in (services.msc) on the Domain Controller.
Locate the Quickpass Agent serviceĀ
Right-click the service and select Properties.
Go to the Log On tab.
-
Verify the setting:
If Local System account is selected, the service is currently running as Local System.
To change it to Local System, select the Local System account radio button and click Apply and OK.
Restart the Quickpass Agent service to apply the change.
-
Isolate and Test Each Domain Controller:
Crucial Step: Temporarily Stop the Quickpass Agent service on all other Domain Controllers where the agent is installed. This ensures that the test only uses the specific DC you are currently configuring.
-
On the Domain Controller configured for Local System, perform the following tasks via the CyberQP dashboard:
Rotate passwords for an Administrator account.
Execute an End-User password reset.
-
Evaluate Results:
If these tasks work successfully, the Local System account might suffice for basic end-user management.
However, this configuration is NOT recommended for production environments for the security reasons detailed below. If the service is running as Local System, we strongly recommend changing it to a Managed Service Account (MSA).
Security Risks of Using Local System
Broad Privileges in the Local System Context: The account has full access to all local resources and services, which grants unnecessary access to the Active Directory environment.
Reduced Auditing and Accountability: Actions performed by Local System are logged under the machine's computer account, making it challenging to trace specific activities back to the Quickpass Agent service.
A Managed Service Account (MSA) or a dedicated, least-privilege AD service account is the recommended alternative to reduce unnecessary access and improve overall security.
Benefits of Managed Service Accounts (MSAs)
Managed Service Accounts (MSAs) are the recommended service account type for running applications like the Quickpass Agent in Active Directory environments. They offer significant security and operational advantages over traditional service accounts.
Key Advantages of MSAs
Automatic Password Management: MSAs automatically rotate complex passwords, reducing the risk of password-related vulnerabilities and eliminating manual updates.
Simplified SPN Management: MSAs handle Service Principal Name (SPN) configurations automatically.
Enhanced Security: MSAs cannot be used for interactive logins, minimizing the attack surface.
Delegation of Management: MSAs allow delegation of administrative tasks to non-admin accounts.
Domain Account Isolation: MSAs enhance security by isolating domain accounts for critical applications.
Microsoft Resources on MSAs
| Topic | Microsoft Resource |
|---|---|
| General Overview | Service Accounts in Windows Server |
| Best Practices | Managed Service Accounts Best Practices |
| Security/Requirements | Secure Standalone Managed Service Accounts |
| Running Assessments | Running Assessments with Managed Service Accounts |
Why Domain Admin Permissions Are Required for Full Functionality
CyberQP requires membership in the Domain Admins security group for the Agent's service account to perform critical, high-privilege operations securely and reliably across the domain.
Key Reasons for Domain Admin Requirement
-
Password Changes for Domain Admin Accounts
To modify passwords of accounts belonging to the Domain Admins group, the modifying account (the Quickpass Managed Service Account) must also belong to at least the Domain Admins group. This is a fundamental Active Directory security requirement.
-
Administrator Account Permissions
The built-in "Administrator" account and its delegation controls can only be managed by Domain Admin or Enterprise Admin accounts.
-
Service and Task Credential Rotation
Rotating service and task credentials on Domain Controllers or AD-joined servers often requires Domain Admin-level permissions, particularly for accounts that hold administrative privileges.
-
Just-in-Time/Passwordless Features
Implementing advanced features requires permissions to create Organizational Units (OUs), temporary accounts, and assign/revoke specific permissionsātasks that only Domain Admin accounts can perform globally.
More details: Refer to Microsoft's guide on Reducing the Active Directory Attack Surface for information on privileged account security.
Custom Delegation and Configuration
It is technically possible to customize permissions for the Managed Service Account created by CyberQP (or set up manually) to use a Custom Group with delegated permissions instead of the Domain Admins group.
However, implementing custom delegation requires careful planning to ensure the custom group has all the necessary permissions for all desired CyberQP functionality.
Delegation Considerations
If your use case is limited to changing end-user passwords, a custom group with delegated permissions may suffice.
To manage administrator accounts (especially built-in ones) and utilize advanced features, the built-in Domain Admins permission is still required.
Contact CyberQP support if you need further assistance or guidance in configuring permissions to meet your specific requirements.
Comments
0 comments
Please sign in to leave a comment.