Security Vulnerabilites related to "Servicedesk" user account
search cancel

Security Vulnerabilites related to "Servicedesk" user account

book

Article ID: 231077

calendar_today

Updated On:

Products

CA Service Desk Manager CA Service Management - Service Desk Manager

Issue/Introduction

Security vulnerability scan shows that the local "Servicedesk" user account has been granted excessive privileges in a Windows environment.

Is there any justification for assigning the Servicedesk user these many privileges?

  • Act as part of the operating system
  • Adjust memory quotas for a process
  • Log on as a batch job
  • Replace a process level token

 

 

Environment

Service Desk Manager 14.1 and 17.x

All Supported Windows Operating Systems

Resolution

Here are some of the reasons behind the ServiceDesk user being granted the mentioned privileges/policies:

Act as part of the operating system

This user right allows a process to impersonate any user without authentication. The process can therefore gain access to the same local resources as that user.

The Service Desk account does impersonate other SDM users for certain tasks.

Adjust memory quotas for a process

This privilege determines who can change the maximum memory that can be consumed by a process. This privilege is useful for system tuning on a group or user basis.

The Service Desk account is used for many SDM processes to manage the process memory.

Log on as a batch job

This policy setting determines which accounts can log on by using a batch-queue tool such as the Task Scheduler service.  When the scheduled time arrives, the Task Scheduler service logs on the user as a batch job instead of as an interactive user, and the task runs in the user's security context.

The Service Desk account does schedule tasks internally.

Replace a process level token

This policy setting determines which parent processes can replace the access token that is associated with a child process.  An access token is an object that describes the security context of a process or thread. The information in a token includes the identity and privileges of the user account that is associated with the process or thread. With this user right, every child process that runs on behalf of this user account would have its access token replaced with the process level token.

The Service Desk account is used by many processes to run new processes or child processes.

Additional Information

If the Service Desk service is configured to use a domain account instead of the OS Local System Account, then the domain account used must have the same privileges/policies as mentioned in this KB article

Attachments