What user account should we use for scheduled tasks on a server with sensitive material?
Solution 1:
Assuming you are using a Windows 2008R2 system and a 2008R2 AD, you can use a managed service account for this.
This technet blog entry has a pretty good summary of how to use managed service accounts but, here are the basic principles:
A managed service account is an AD account that is strongly tied to a computer and that has an automatically managed password. You don't create the password and nobody needs to know about it but since it's an AD account, you can use it for network ACLs which makes it perfect for your scenario.
Using a MSA for a scheduled task will, however, require you to use the command-line to create your tasks (see this and this thread for more details).
Solution 2:
Overall what you've done up front is fine. A dedicated "service" style account that is setup with the permissions it needs and is used to run the scheduled tasks.
At this point, all you really need to do is:
- Change the password to
buildacc
- Don't let the 4 developers know the password
- Assign someone the task of changing the scripts/tasks going forward (ie. Change Control policies) after the developers change their code.
It's really just an internal policy issue at this point. You should setup the scheduled tasks so that they don't really change. Meaning if it is running "test.exe" then have the developers modify that exe file but not the scheduled task itself. If all 4 of the developers truly need access to change the scheduled tasks then you are simply stuck where you are...
EDIT: I'd also caution you on being too liberal with your buildacc
account across services and servers. Better to keep it strictly for "builds" and have backups and other services run under their own dedicated accounts.
Solution 3:
I see several answers mentioning MSA as a solution for the account used to run a scheduled task but as mentioned by the author of this post, they use Windows Server 2008 R2 and according to my research, MSA on this OS can't be used to run scheduled tasks.
However, with Windows Server 2012, a gMSA (Group Managed Service Account) can be used to run scheduled tasks as explained in this article.