What are the best practices for service accounts?
A few thoughts:
One account per service, or perhaps per service type depending on your environment.
Accounts should be domain accounts.
Accounts should have a strong password that doesn't expire*. Ideally generate a random password that gets recorded somewhere (KeePass is good for this) to make it a pain for people to use it for logging on. Speaking of which...
...(In general) the account should be a member of a group that does not have the rights to log on interactively. This can be controlled via Group Policy.
Keep in mind the principle of least privilege. Accounts should have the rights they need to do their job and no more. Inkeeping with this, as gravyface points out, use the built in accounts where possible.
Local Service
when network access is not required.Network Service
when accessing the network as the machine account will be secure enough, and avoid using theLocal System
account where possible.
*Unless your company security policy isn't compatible with this, but by the sounds of things it probably is :-)