Skip to main content

Domain requirements

While Bravura Security Fabric servers are capable of operating as domain members, we suggest you take the following into consideration:

  • Security / limited accessibility:

    If the Bravura Security Fabric server is part of the domain, then other administrative users from the domain (who may not be Bravura Security Fabric administrators) can gain administrative logon access to the server and can then access (encrypted) credentials for target systems other than the domain.

    A policy of segregation of duties suggests that it is preferable to eliminate the ability of administrators of one system to access privileged accounts for another system and since Bravura Security Fabric houses such credentials, it makes sense to avoid domain membership.

  • Secure service account:

    Bravura Security Fabric requires a service account which Bravura Security Fabric services will run as. It is recommended to restrict the service account’s abilities to interactively log on to networks when a domain account is used. This is a recognized industry best-practice and it can be configured by using group policy.

    See Creating a secure service account for more details.

  • Windows credential conflicts:

    To change/verify passwords on an Active Directory domain, Bravura Security Fabric uses ADSI, which may connect a named pipe to a share on a domain controller, such as the NETLOGON share.

    If an administrative user logs in to the Bravura Security Fabric server console and makes a similar connection but using his personal credentials (not those encoded into Bravura Security Fabric ), then the Windows network provider may produce a credential conflict error. This can interrupt Bravura Security Fabric ’s ability to manage user objects on the domain, for the duration of the interactive login session.

    If Bravura Security Fabric is not a domain member, then the set of administrators who are able to inadvertently cause this error condition is significantly reduced and so Bravura Security Fabric operation is more reliable (less prone to human-induced errors).

  • Password randomization:

    Credential problems can also occur if the Bravura Privilege server is also a Domain Controller, and Bravura Privilege is used to manage the administrator account used to target the system. When the administrator account has its password randomized, the target system administrator credentials may not be updated.

Creating a secure service account

The following steps for creating a secure service account are demonstrated on Windows Server 2019:

  1. Launch Active Directory Users and Computers .

  2. Create an OU.

  3. In the OU, create an account as the service account and add it to the Administrators group. When you run the installer, the default account name is psadmin.

  4. Give the new account the "Logon as a service" right under Local Security Policy settings.

  5. Add a security group.

  6. Add the service account as a member of the security group.

  7. Launch Group Policy Management Console (GPMC).

  8. Create a new group policy.

  9. Right click on the group policy, then click on Edit... to launch Group Policy Management Editor, configure the group policy with following settings:

    1. Navigate to Computer Configuration > Policies > Windows Settings > Security Settings > Local Policies > User Rights Assignments.

      • Select Deny log on locally and enter the security group created previously.

      • Select Deny log on through remote desktop services and enter the security group created previously.

      • Select Log on as a batch file and enter the security group created previously

      • Remove Administrators from the User Rights Assignment Deny log on as a batch job .

    2. Exit from Group Policy Management Editor.

  10. Back to Group Policy Management Console (GPMC), click the Scope tab to ensure the GPO is set to authenticated users.

  11. Link the GPO to any OUs containing machines which you want to stop the service account from being able to log on to interactively, or the domain level for all machines.

  12. If you have more than one domain, you can put groups from the trusted domain in the GPO. However, you might want to make a GPO like this on both sides (in case of two-way trusts).

  13. Reboot or run command gpupdate.exe /force on the machines to apply the GPO.

  14. Test to ensure the service account is not allowed to log on the machines where the GPO is applied.

In this section: