Shared, Service and Technical Accounts

Service accounts and technical accounts are often a necessary evil, in order to permit servers, applications and processes to work together, without the intervention of an actual user. Service and technical accounts inherently pose a significant risk on your systems.

Shared accounts are accounts that are used by multiple people to get access to a resource. This should be avoided as much as possible.

Apply at least the below security measures to shared, service and technical accounts:

Keep access limited.

Ensure you only allocate service accounts the minimum privileges they require for the tasks they need to carry out and don’t give them any more access than is strictly necessary. Remove all permissions for file sharing, internet access, remote access, local login, etc whenever possible.

Avoid any group memberships for service accounts, technical and shared accounts

Putting service accounts in groups can be risky because service accounts can receive rights and permissions via the group membership. Carefully evaluate the need for group memberships, and when required, limit it to the strict minimum

Set explicit deny permissions to sensitive data

Make sure your service accounts don't have access to critical or sensitive data by setting explicit denies for these accounts. Setting explicit denies ensures the confidentiality of this data, even if group membership or inherited permissions allow access.

Don't recycle/reuse Service Accounts

Don’t create service accounts by copying an existing account, and never share the service account over multiple services. Every service account, and its permissions, should be carefully analyzed for every use and always be unique to the service.

Disable local login, or isolate it to specific systems

More often than not, shared, service or technical accounts do not need to login to systems. Deny the local login rights whenever possible. If login to specific devices is needed, limit the login rights to those specific systems.

Enable Auditing

Be sure to enable auditing for all service and technical accounts. Once auditing is enabled, regularly check the logs to see who’s using the accounts, when, and what for.

TASK

Segregate the accounts for administrative and user tasks, avoid generic/shared accounts

TASK

Change any default or guessable account passwords, especially for the administrative account