What are the best practices for service accounts?

active-directory best-practices windows-server-2003

A few thoughts:

  • One account per service, or perhaps per service type depending on your environment.

  • Accounts should be domain accounts.

  • Accounts should have a strong password that doesn't expire*. Ideally generate a random password that gets recorded somewhere (KeePass is good for this) to make it a pain for people to use it for logging on. Speaking of which...

  • ...(In general) the account should be a member of a group that does not have the rights to log on interactively. This can be controlled via Group Policy.

  • Keep in mind the principle of least privilege. Accounts should have the rights they need to do their job and no more. Inkeeping with this, as gravyface points out, use the built in accounts where possible. Local Service when network access is not required. Network Service when accessing the network as the machine account will be secure enough, and avoid using the Local System account where possible.

*Unless your company security policy isn't compatible with this, but by the sounds of things it probably is :-)

Related

How to debug memcached "SERVER HAS FAILED AND IS DISABLED UNTIL TIMED RETRY" errors?
Windows 2012: how to make power button work in every cases?
Root cause of "curl: (56) SSL read: errno -5961" errors
OpenSSH doesn't accept ECDSA keys
Change apache mpm to mpm-itk for CentOS7
How do I set default internet zone level with Group policy?
OpenVPN "rwRW" logging
Scale HAProxy for more than 64k websockets
Kerberos KDC has no support for encryption type while getting credentials
Unzip from stdin to stdout - funzip, python
WARNING KVM acceleration not available, using 'qemu'
Do new Windows firewall rules affect currently open connections?