Re: Securing Service Accounts - Good Practices



<-SNIP->
h) Name your service accounts descriptively. Make sure the actual
logon reflects something about what it is used for. In my company we
name things kinda like PRSVCWEBIISMailSend. This tells me it is
production, a service account, part of the web application, and is
likely the IIS SMTP account. This is just a fictional example, but
does stay very descriptive.
<-SNIP->

This is just my humble opinion, but in the past I have always asked
that service accounts be named just like any other user account on the
system, just with a semi-descriptive fictional name.

Example:

User Names - fred.jones, sam.templeton, peter.parker
Admin Names - jesse.henderson, mike.rodriguez, paula.samson
Service Names - randy.oracle, beth.mcmail, thomas.webster
Additional documenation would then go in the description field and
other offline documentation.

If the account database were ever enumerated from the top the service
accounts would blend in with all of the rest. If the service account,
along with any other account all look the same to an outsider (of the
IT Staff) then there is no obvious account to single out and attack.

Documentation is very key, and should remain offline or encrypted, or both.

This is just my 2 cents worth.

Chris.



Relevant Pages

  • RE: Using ADMT to migrate service accounts on workstations
    ... The problem is that service account migration wizard would need every ... you are correct that ADMT does not copy the service ... it is recommended to query the service accounts with ADMT - ...
    (microsoft.public.windows.server.migration)
  • Re: ADMT V3 - Service Account Migration
    ... The account name is invalid or does not exist, ... is...ADMT creates the service account on DCx while the server is looking at ... > Please see the following extract from the migration log. ... >>> service accounts and have identified all service accounts that run ...
    (microsoft.public.windows.server.active_directory)
  • Re: Purpose of "Authenticated Users"
    ... the network so your fear about that is unfounded. ... rights on their machines. ... If you need to have a service account accessing ... These service accounts and their passwords need to be protected of course ...
    (microsoft.public.windows.server.security)
  • Re: Pivot Table + OLAP authentication (IIS + impersonate)
    ... Or just add a calculated measure to the sales cube with the ... OWC does not see OLAP cubes. ... > add this account to the olap administrators group). ... > Once the asp.net service accounts is added to the olap administrators ...
    (microsoft.public.office.developer.web.components)
  • Re: Service Accounts : Best Practice
    ... "adoyt" wrote in message ... >>account has a complex password. ... a great option for configuring service accounts is ... >>Derek Melber ...
    (microsoft.public.windows.server.active_directory)