My boss is concerned the service account that the QuickAdd package uses can be hacked. After we collect the machines into the JSS's inventory, we are joining (binding) them to our Active Directory service. He is insistant that the QuickAdd service account is a 'domain account' and not a 'local account'. I am confused a hope you can help me find the words to get him off my back ; -)
Answer
Tell me about the service account that the QuickAdd package will use
+3Best answer by jarednichols
Ask your boss which one is more secure:
1. 100 machines with the same AD service account that all have the same password.
2. 100 machines with a hidden service account where the password is spun to a random password every day that's unique to each machine and encrypted and stored in the JSS where nobody but the JSS itself knows what the password is?
If you picked #2, and your boss still picked #1, you should be your boss. (Yes, Nation, I'm in a bit of a mood today)
+24Ask your boss which one is more secure:
1. 100 machines with the same AD service account that all have the same password.
2. 100 machines with a hidden service account where the password is spun to a random password every day that's unique to each machine and encrypted and stored in the JSS where nobody but the JSS itself knows what the password is?
If you picked #2, and your boss still picked #1, you should be your boss. (Yes, Nation, I'm in a bit of a mood today)
+24Jared took the words out of my mouth, mostly. :)
You can randomize the Casper service account password on every Mac nearly as often as a security freak would want and also make it pretty complex. And as Jared mentions, this could be known by literally no human being, only the JSS itself. I would say that is way more secure than a domain account. Even if one Macs local Casper service account manages to get hacked, it would only work on that one Mac, not allow access to any domain services (including your Casper server) and would just get changed the next time the policy kicks in. So what's to worry about?
Granted, this could be set up in a way that is very insecure., if you create a local non hidden service account called "admin" with a password like "adm1n" or such and never change it. But you wouldn't be doing that anyway would you. ;)
+3Gentlemen... you have MADE MY DAY ! Thank you... one more quick one; Is that service account's password being randomized by default, or is that something I need to set in motion. Thanks again.
+24Something you need to set in motion. Create a new policy and under the Accounts tab you'll see a section for Changing the Management account on the right. Choose the "Randomly Generate Password" option and choose the number of characters you want. Then set the frequency of the policy (Once very day or Once every week for example) , set it to the every15 trigger and scope it to all your Macs or a subset. Done.
+24Mike is spot on. I incorporate said password change in my policy that inventories machines once a day. It doesn't need to be forked out on its own.
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.