Hi all,
I'm interested in obtaining some information either from users personal recommendations or from authorized sources on the subject in regards to what are the good practices for creating, managing, and securing service account created in Active Directory. I will give you a scenario that I have gotten involved in:
I have been working with a company now for a few years, mostly in a helpdesk style support role, but have worked my way up within the company in helping with certain responsibilities pertaining to security which I enjoy. Getting back to the question at hand, it would appear that previous administrators with the company when being handed the task of creating service accounts for several of our applications and appliances decided to take the easy route (of course, also the most insecure) and assign domain admin privileges to most of these accounts. Needless to say, when I learned of this, I was pretty shocked as to why these accounts would be granted such elevated privileges and have unfiltered access to Active Directory to perform a role that was not in need of such rights.
We have been tasked with limiting our domain admin group to only specific infrastructure individuals who need it and removing the service accounts from this group. The problem we are foreseeing is once we remove the service accounts from full access privileges, we are expecting several routines that they were performing to fail.
The grand question here is what is the best practices/guidelines when encountering this type of solution. Do we remove each service account, one by one, waiting to see what, if anything, fails and then decide how to give rights to that account? What about in the future, when creating and securing new accounts...what are the best guidelines and practices to go by?
Sorry for the rant, but any help y'all could give me is greatly appreciated!
Thank you
Start Free Trial
