Shared, Service and Technical Accounts
Service Accounts and Technical User accounts are often a neccessary evil, in order to permit servers, applications and processes to work together, without the intervention of an actual user. Service and Technical accounts inherently pose a significant risk on your systems.
Shared accounts are accounts that are used by multiple people to get access to a resource. This
Apply at least the below security measures to shared, service and technical accounts:
Keep access limited.
Ensure you only allocate service accounts the minimum privileges they require for the tasks they need to carry out, and don’t give them any more access than is necessary. Remove all permissions for file sharing, internet access, remote access, local login,.. whenever possible
Avoid any group memberships for Service Accounts, Technical and Shared Accounts
Putting service accounts in groups can be risky, because service accounts can receive rights and permissions via the group membership. Carefully evaluate the need for group-memberships, and when required, limit it to the strict minimum
Set explicit deny permissions to sensitive data
Make sure you Service Accounts don't have access to critical or sensitive data by setting explicit denies for these accounts. Setting explicit denies ensures the confidentiality of this data, even if group memebership or inhereted permissions allow access.