Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

Register Log in
  • Congratulations wOOdy-Soft on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Log on as a service - why?

Status
Not open for further replies.
pkirill

pkirill

Technical User
Jun 15, 2002
134
US
So I'm starting the process of tightening our security here by removing the default admin account and setting up accounts for those services that require admin privileges to function properly (BU Exec, SAV...). I get that I need to create an OU for service accounts, and create users for my services and then I'm a little lost.

Can anyone walk me through setting up a service account or point me to a resource for this?

Thanks a bunch!
 
Sort by date Sort by votes
The main reason for having Service Accounts in a seperate OU is so that you can seperate your policies.

Creating a Service Account is no different that creating a user account - with the exception of applying the proper permissions to the Service Accounts. Some people get into the habit of making all of their Service Accounts Domain Admins by default. Don't do this. Some Service Accounts do require this, but for the most part, you can get away with having the Service account as a Local Admin to whatever server this has services running under this account.

Get with your vendors, and have them reccommend their "Best Practices"

Mike
 
Upvote 0 Downvote
I appreciate the tips - I think can handle that. And as much as I hate having to contact the vendors I guess I need to.

Thanks for the quick response!

Paul
 
Upvote 0 Downvote
Another tip is to use very strong passwords. I would suggest creating a password database, or downloading some freeware password database like KeePass. I use this and it works quite well. It can generate super strong passwords for you. You can copy/paste from the application into your ADUC account creation interface, even between TS Sessions, as well as paste them into the services console account box. This way the only password you need to remember is the one to the password database.
 
Upvote 0 Downvote
Just to add to what TweakMyBox and Monsterjta have recomended and assuming that the tightening of your security is to meet company and/or federal security auditing requirements.

A practice that we have implimented in addition to the already mentioned was to use a VBscript that accesses a DB with a list of service accounts, local admin, and other "special" accounts and changes the passwords on all the accounts on a monthly rotation.

We have a tsql script that creates a 32 character random password for each account before running the change password VBScript.

Auditors do NOT like non expiring/changing passwords.



Thanks

John Fuhrman
Titan Global Services
 
Upvote 0 Downvote
I second that, Sparkbyte. I like to rotate the domain admin every 90 days. Service accounts usually about every 180 days, as these are super strong passwords to begin with.

Hope This Helps,

Good Luck!

(I do what I can with what I know)
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

DrB0b
  • Locked
  • Question
Hybrid on prem AD with Azure AD
Replies
2
Views
406
DrB0b
DrB0b
DrB0b
  • Locked
  • Question
Windows 2016 IIS FTP server with a ton of user accounts
Replies
4
Views
792
DrB0b
DrB0b
mangentle
  • Locked
  • Question
What could be the potential causes if a Microsoft Windows Server is experiencing slow network!
Replies
1
Views
1K
gbaughma
gbaughma
James281
  • Locked
  • Question
Enrolment agent (enrol on behalf of) stopped working
Replies
1
Views
325
mikehook
mikehook
MattM1975
  • Locked
  • Question
Domain Admin Logon 1
Replies
2
Views
359
ADB100
ADB100

Part and Inventory Search

Sponsor

Back
Top