Additional restrictions for unprivileged service accounts "Matthew X. Economou" <xenophon+usenet[ at ]irtnog.org> 11.07.2007 16:23:21 When I create service accounts, I tend to restrict their access as much as possible. In Active Directory domains, I follow Microsoft's A-G-DL-P model very strictly. For instance, I have a service account named "s-eporeviewer" that is a member of the global group "ggs-irtnognet-EpoDatabaseReviewers" (a business role), which in turn is a member of the domain-local group "dls-irtnognet-SqlsvrEpoCinip100ntsbsReadOnly", which represents the db_datareader SQL Server permission in the ePO_CINIP100NTSBS database. I take care to remove these service accounts from any other groups (e.g., Domain Users), as they generally do not need any other access. Unfortunately, there are a number of permissions that these services still have, due to their inclusion into built-in security principals such as EVERYONE and AUTHENTICATED USERS. For example, there's no reason why this "s-eporeviewer" service account needs to be able to relay mail through my Exchange server or to query Active Directory, yet the default permissions for these systems grant access to AUTHENTICATED USERS. I realize this is a pretty minute exposure, but I would like to know if there's any thing I can or should do to further restrict the access of these otherwise unprivileged service accounts. Has Microsoft published any general guidelines? Best wishes, Matthew -- "Rogues are very keen in their profession, and know already much more than we can teach them respecting their several kinds of roguery." - A. C. Hobbs in _Locks and Safes_ (1853)