Securing Service Accounts - Good Practices

I'm interested in obtaining some information either from users personal
recommendations or from authorized sources on the subject in regards to
what are the good practices for creating, managing, and securing service
account created in Active Directory. I will give you a scenario that I
have gotten involved in:

I have been working with a company now for a few years, mostly in a
helpdesk style support role, but have worked my way up within the
company in helping with certain responsibilities pertaining to security
which I enjoy. Getting back to the question at hand, it would appear
that previous administrators with the company when being handed the task
of creating service accounts for several of our applications and
appliances decided to take the easy route (of course, also the most
insecure) and assign domain admin privileges to most of these accounts.
Needless to say, when I learned of this, I was pretty shocked as to why
these accounts would be granted such elevated privileges and have
unfiltered access to Active Directory to perform a role that was not in
need of such rights.

We have been tasked with limiting our domain admin group to only
specific infrastructure individuals who need it and removing the service
accounts from this group. The problem we are foreseeing is once we
remove the service accounts from full access privileges, we are
expecting several routines that they were performing to fail.

The grand question here is what is the best practices/guidelines when
encountering this type of solution. Do we remove each service account,
one by one, waiting to see what, if anything, fails and then decide how
to give rights to that account? What about in the future, when creating
and securing new accounts...what are the best guidelines and practices
to go by?

Thanks
-Dave



Relevant Pages

  • Re: Securing Service Accounts - Good Practices
    ... Trying to limit down current service accounts that are domain admins. ... Ongoing good practices for service accounts. ... Some service accounts may have a justified reason for running as domain admin. ... insecure) and assign domain admin privileges to most of these accounts. ...
    (Security-Basics)
  • Re: Implementing privileges
    ... bank accounts, ... is nearly finished but I'm having some trouble in managing privileges. ... If the rules and policies of privilege are inherently dynamic and likely to change frequently over time, you would probably be better off keeping them out of the DBMS. ... The R1 and R3 relationships then only need to be instantiated once in the DBMS when a UserAccount or FinancialAccount is added rather than every time they are accessed by an application. ...
    (comp.object)
  • Re: Domain Groups For Clustering Service ???? SQL Server 2005
    ... You need to manually add the service accounts you specify during setup into ... services then just add that to each of the 3 domain groups you create. ... Jasper Smith (SQL Server MVP) ...
    (microsoft.public.sqlserver.clustering)
  • Re: How to turn linux into VMS - memory refresher for Dave ...
    ... If OpenVMS were as popular ... I'm just not going to get my system manager to provide elevated privileges ... Windows, historically, runs for all users in fully privileged accounts. ... The lack of real error reporting & even ...
    (comp.os.vms)
  • Re: CGI apps break after DCPROMO an IIS6 server
    ... This is one of those things different on a DC vs a member server in regards ... The "built in" accounts have the minimum and necessary privileges to run ... >privileges listed in F1-help of IIS Manager UI required ...
    (microsoft.public.inetserver.iis.security)