cancel
Showing results for 
Search instead for 
Did you mean: 
alhaawi
Level 9
Report Inappropriate Content
Message 1 of 12

what is the risk of using domain admin account to push agent

hello

how riksy it is if i use domain admin account for AD sync and push agents? if i choose to save the admin  password while doing AD sync server task, is the password stored somewhere, and how risky is this?

11 Replies

Re: what is the risk of using domain admin account to push agent

I'm sure McAfee encrypts the password before it's stored in the database. But you should always try the principle of least privilege. Why use a domain admin account for AD sync? You only need read access to AD, so any normal user account will do.

alhaawi
Level 9
Report Inappropriate Content
Message 3 of 12

Re: what is the risk of using domain admin account to push agent

I think we need domain admin to push mcafee agent for our clients, since the agent needs

Enough privileges to get installed.

mjmurra
Level 12
Report Inappropriate Content
Message 4 of 12

Re: what is the risk of using domain admin account to push agent

There are risks. I recall a recent thread discussing the risks , but can't find the thread quickly.

alhaawi
Level 9
Report Inappropriate Content
Message 5 of 12

Re: what is the risk of using domain admin account to push agent

waiting for the thread that talks about the risk, however do you reommend using gpo or login secript to be away from the risk?

best regards

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 6 of 12

Re: what is the risk of using domain admin account to push agent

Password details are saved as AES256 hashes - however if you are concerned about saving the credentials you don't have to. (It just means you have to enter the credentials each time you want to push an agent.)

HTH -

Joe

Re: what is the risk of using domain admin account to push agent

Joe, can you tell a bit more on this topic? As far as I know you should not be able to calculate the original value from a hashed password, in contrast to encrypted passwords, which can be decrypted (if you have the encryption key).

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 8 of 12

Re: what is the risk of using domain admin account to push agent

Cryptographic hashing is an enormous subject, a bit beyond the scope of this forum   A quick Google shows some good introductory articles on the topic, though.

But yes, one of the main points of hashing is that it is a one-way function - there is no way to get the original password back from the hash.

HTH -

Joe

Re: what is the risk of using domain admin account to push agent

Joe, I meant if you could tell us a bit more about how this is implemented in ePO. If only a password hash is stored, how can ePO use the original password for authentication?

McAfee Employee
McAfee Employee
Report Inappropriate Content
Message 10 of 12

Re: what is the risk of using domain admin account to push agent

The login process calculates the hash of the supplied password and compares it with the stored hash - if the hashes match then the passwords must also match.

This is a very common method of storing authentication details, and is by no means unique to ePO.

Seriously, Google for some introductions to cryptographic hashing, with respect to passwords - it will explain things far better than I can

HTH -

Joe