Shared, Service and Technical Accounts
Service accounts and technical accounts are often a necessary evil, in order to permit servers, applications and processes to work together, without the intervention of an actual user. Service and technical accounts inherently pose a significant risk on your systems.
Shared accounts are accounts that are used by multiple people to get access to a resource. This should be avoided as much as possible.
Apply at least the below security measures to shared, service and technical accounts:
Keep access limited.
Ensure you only allocate service accounts the minimum privileges they require for the tasks they need to carry out and don’t give them any more access than is strictly necessary. Remove all permissions for file sharing, internet access, remote access, local login, etc whenever possible.
Avoid any group memberships for service accounts, technical and shared accounts
Putting service accounts in groups can be risky because service accounts can receive rights and permissions via the group membership. Carefully evaluate the need for group memberships, and when required, limit it to the strict minimum
Set explicit deny permissions to sensitive data
Make sure your service accounts don't have access to critical or sensitive data by setting explicit denies for these accounts. Setting explicit denies ensures the confidentiality of this data, even if group membership or inherited permissions allow access.