VMware Cloud Community
JamesConaway
Enthusiast
Enthusiast
‎08-06-2010 03:33 PM
Jump to solution

weakness / strength of using local system account for vSphere services

Beyond creating Active Directory accounts for connecting your vCenter server to a remote SQL box, is there any best practice reason to create a AD account to run your vSphere services?

The default is to use the "Local System" account. Is there any inherent weakness in using the local system account for services such as vCenter, VUM, or vConverter?

If you found this at all helpful please award points by using the correct or helpful buttons! Thanks!
0 Kudos
1 Solution

Accepted Solutions
rebootuser
Enthusiast
Enthusiast
‎08-07-2010 08:46 AM
Jump to solution

Hi James. Using AD creds in service accounts can actually be quite insecure - a bit more info at:

http://articles.techrepublic.com.com/5100-10878_11-1053581.html (gets interesting around 3/4 of the page down)

http://www.sans.org/reading_room/whitepapers/application/service-account-vulnerabilities_5

Regards

Owen






If you found this or any other post helpful please consider the use of the Helpful/Correct buttons to award points

My Blog: http://rebootuser.com If you found this or any other post helpful please consider the use of the Helpful/Correct buttons to award points.

View solution in original post

0 Kudos
4 Replies
Troy_Clavell
Immortal
Immortal
‎08-06-2010 05:46 PM
Jump to solution

no inherent weakness, in my opinion. The default is local system for a reason. It's efficient, and as most windows services, runs without the need for domain credentials.

JamesConaway
Enthusiast
Enthusiast
‎08-07-2010 08:24 AM
Jump to solution

So there is no benefit to using active directory authenication service accounts for local vSphere services?

Anyone else?

If you found this at all helpful please award points by using the correct or helpful buttons! Thanks!
0 Kudos
rebootuser
Enthusiast
Enthusiast
‎08-07-2010 08:46 AM
Jump to solution

Hi James. Using AD creds in service accounts can actually be quite insecure - a bit more info at:

http://articles.techrepublic.com.com/5100-10878_11-1053581.html (gets interesting around 3/4 of the page down)

http://www.sans.org/reading_room/whitepapers/application/service-account-vulnerabilities_5

Regards

Owen






If you found this or any other post helpful please consider the use of the Helpful/Correct buttons to award points

My Blog: http://rebootuser.com If you found this or any other post helpful please consider the use of the Helpful/Correct buttons to award points.
0 Kudos
AndreTheGiant
Immortal
Immortal
‎08-07-2010 10:13 AM
Jump to solution

So there is no benefit to using active directory authenication service accounts for local vSphere services?

As you have written, the big reason is for authentincation to a remote SQL server.

I do not see other advantage.

Andre

Andrew | http://about.me/amauro | http://vinfrastructure.it/ | @Andrea_Mauro