Service Id's Restriction RRS feed

  • Question

  • As per the standards, service ID's should only be used to run a service and should not be logged onto. 

    The concern is that these ID's can be exempt from the security policies, e.g. password reset every 90 days / non-expiring passwords, and sometimes have admin rights on a machine or server. Given that they are essentially generic accounts, anyone with access to the password could use it to logon unless we have provisions in place to prevent this.

    One way to prevent users from logging on with these accounts is using a Deny Logon Locally GPO. I found the following write-up interesting - can you let me know if we have anything similar currently?

    Thanks HA

    Thursday, March 16, 2017 3:37 AM


All replies