Service Accounts

In my experience one of the most difficult security holes to plug is when a domain administrator account is used improperly on a Windows domain. All too often I see a domain administrator account used when software is deployed when a service account should have been established instead.

The modern Windows network running Active Directory will likely outlive many of the applications that are installed on it. Maintaining the directory and all the accounts in the directory can be made far more difficult if it isn't clear what these accounts are being used for. Additionally, if you are relying on just one or two accounts with broad rights on your domain in order to get things done, you are making it very hard to protect your network from disgruntled employees... it's hard to change the password for an account that impacts so many different applications.

It is always a good idea to set up a new service account for every application that requires domain access, and to delegate the minimal rights that account needs. When it is clear which accounts are used for what application, directory maintenance becomes a snap! You immediately know which accounts are still in use, and which accounts can be safely retired once an application is removed from the domain.

While the domain administrator account is "god" of the domain, and it is tempting to just use this type of account to avoid the permissions issues that can happen when a service account needs special rights, it is always a bad idea to use this account for anything other than its intended use, which is administrating the domain. If you can resist the temptation to use this account, and take the time up front to create specific service accounts for your applications, you will actually be saving yourself a lot of time down the line. And you'll have a more secure network to boot!