Shared, Service and Technical Accounts

Service Accounts and Technical User accounts are often a neccessary evil, in order to permit servers, applications and processes to work together, without the intervention of an actual user. Service and Technical accounts inherently pose a significant risk on your systems.

Shared accounts are accounts that are used by multiple people to get access to a resource. This

Apply at least the below security measures to shared, service and technical accounts:

Keep access limited.

Ensure you only allocate service accounts the minimum privileges they require for the tasks they need to carry out, and don’t give them any more access than is necessary. Remove all permissions for file sharing, internet access, remote access, local login,.. whenever possible

Avoid any group memberships for Service Accounts, Technical and Shared Accounts

Putting service accounts in groups can be risky, because service accounts can receive rights and permissions via the group membership. Carefully evaluate the need for group-memberships, and when required, limit it to the strict minimum

Set explicit deny permissions to sensitive data

Make sure you Service Accounts don't have access to critical or sensitive data by setting explicit denies for these accounts. Setting explicit denies ensures the confidentiality of this data, even if group memebership or inhereted permissions allow access.

Don't recycle/reuse Service Accounts

Don’t create service accounts in by copying existing account, and never share the service account over multiple services. Every Service Account, and its permissions, should be carefully analysed for every use and always be unique to the service.

Disable Log-On Local, or isolate it to specific systems

More often then not, Shared, Service or Technical accounts do not need to login to systems... Deny the Login local rights whenever possible. If Logon to specific devices is needed, limit the logon rights to those specific systems.

Enable Auditing

Be sure to enable auditing for all service and technical accounts. Once auditing is enabled, regularly check the logs to see who’s using the accounts, when, and for what purposes

TASK

Segregate the accounts for administrative and user tasks, avoid generic/shared accounts

TASK

Change any default or guessable account passwords, especially for the administrative account