一般企业会在AD里创建服务账号,比如备份使用的专用账号,监控使用的专用账号。如果不对这些服务账号进行良好地监控,这些账号可能会“年久失修”,最终成为安全隐患。
解决这个问题,我的做法是:
1)所有服务账号放在一个专用的OU下,比如Service Accounts。
2)账号描述一定要写详细,清晰。比如“This account is for backup system, create dy Jackie Chen”。
3)配置定期自动运行以下Powershell脚本,会生成一个.csv报告,包含账号名,描述,何时创建,最后一次设定密码的时间,所属组信息。
4)把这个.csv报告导入Excel,运用Excel的filter功能来做分析。
- cls
- $searcher = new-object DirectoryServices.DirectorySearcher([ADSI]"")
- $searcher.filter = "(&(objectcategory=user))"
- $Searcher.SearchRoot ="LDAP://OU=Service Accounts,DC=Test,DC=Com"
- $Searcher.CacheResults = $true
- $Searcher.SearchScope = "Subtree"
- $userlist=$searcher.findall()
- $date = $(Get-Date -UFormat "%y-%m-%d-%H:%M").tostring()
- echo "SERVICE_ACCOUNTS_LIST Updated on $date" > service_accounts.csv
- echo "Name,Descriptions,Account_Created_Date,Password_Lastset_Date,Member_of" >> service_accounts.csv
- foreach ($user in $userlist)
- {
- $name = $($user.properties.cn).tostring()
- if($user.Properties.description -ne $null)
- {$notes = $($user.properties.description).tostring()}
- else
- {$notes = "N/A"}
- $whencreated = $($user.properties.whencreated).tostring()
- $pwdlastset = [datetime]::fromfiletime(($user.properties.pwdlastset)[0])
- if($user.Properties.memberof -ne $null)
- {$memberof = $($user.properties.memberof).tostring()}
- else
- {$memberof = "N/A"}
- if($user.Properties.lastlogontimestamp -ne $null)
- {$lastlogon = [datetime]::fromfiletime(($user.properties.lastlogontimestamp)[0])}
- out-file -InputObject $($name+","+$notes+","+$whencreated+","+$pwdlastset+","+$memberof) service_accounts.csv -Append
- }
转载于:https://blog.51cto.com/jackiechen/405788