Microsoft AD Service Accounts / Best Practices?

[Chris]

Dear all,

First off: I do not manage or create Microsoft Active Directory environments. I care about security components from Firewalls to SIEM/SOAR. So I don't need to get too technical about the configuration on a DC here.

However, I often need to ask customers to create or share credentials for some service accounts that need to be embedded in security components, such as:

• An account which enables LDAP(s) queries
• An account that grants access to the DC's Windows Event Logs
• An account that may install software on an endpoint device (remotely)
• A possibility for a (IT) user to change the IP address of a windows device manually (which currently results in local admin users)
• Anything else I forgot about but you know?

Of course, I always want to keep a least privilege principle. But as I just ask the customers to create an account which can do these tasks, it often results in some kind of admin user (as these are server managers and not security staff).

Now, my question/discussion entry would be:

What should I tell my customer to pay attention to when creating these kinds of accounts? What are common pitfalls on AD account creation?

 

Thanks already for your input!

Best,
Chris

[Florian]

first thing that come to my mind is group managed service account.

Group Managed Service Accounts Overview | Microsoft Learn

short breakdown -> it's a user which dynamicly change it's password and you have to specify the computer accounts who can request the password.