Re: Re: Securing Service Accounts - Good Practices



Hey,

Two important things that the others didn't mentioned is the use of Logon Hours and Logon To fields of users in AD.
I use this properties to restrict service accounts logon to specific computers and if the service accounts are running on a schedule I also use the logon hours field.

Regards,
Zeffy.



Relevant Pages

  • Re: Disabling Interactibg Login for Service Accounts
    ... Is there any way that I can prevent certain accounts (service accounts used for applications) from being used to logon interactively (i.e though physical logon at the machine, terminal services, Remote Desktop). ... But that would have to be done explicitly on every computer in the domain and it would still not prevent users from logging on through terminal services or remote desktop. ...
    (microsoft.public.windows.server.security)
  • RE:How to disable interactive logon for service accounts on W2K a nd W2K3
    ... >logon for service accounts on W2K and W2K3. ... "Deny local logon"; you can add your service accounts ... education and the case study affords you unmatched consulting experience. ... Computer Emergency Response Teams, and Digital Investigations. ...
    (Security-Basics)
  • Re: Restrict both local machine accounts and domain accounts from login
    ... >right to logon as a service. ... >> case) policy. ... >> I do have service accounts that are also part of the Users group for ... >> of the users group. ...
    (microsoft.public.win2000.security)
  • Stop service accounts logging on.
    ... We have created several `service accounts` within Active Directory. ... They were specifically created to start services on servers. ... Is there a way of stopping them logging onto computers, ... could be `Logon hours` and `Logon to` parameters, but still not sure if this ...
    (microsoft.public.windows.server.active_directory)
  • Re: who is logon to that machine ?
    ... this includes service accounts of course. ... Assume a nt id is logon to the pc, ... I assume registry are changed to highlight in their ... > Of course when no one logs on, the changes in registry shld be "no ...
    (microsoft.public.windows.server.scripting)