The principle of least privilege is a dated best practice that still holds its weight in a continually evolving information technology landscape. To strengthen the group ‘Service Account – AllowInter’, assign the group GPO policies ‘Log On To’ (above) and ‘Logon Hours’ (below) so your team can specify certain domain-joined machines and time frames permitted for the service account.Ģ) Practice the principle of least privilege with service accounts The Group Policy Object (GPO) policies ‘Deny log on locally’ and ‘Deny log on through Remote Desktop Services’ will help your organization in preventing a service account from logging in interactively.
Due to the accounts’ intended function, interactive logons should not be permitted by default. Service accounts should only be used by applications or services – not users. Since service accounts are designed for services or applications to log into in order to interact with the operating system, interactive logins of these accounts prevent an accurate audit trail since there is typically no way to clearly identify who performed the interactive login through logs. When a service account is configured to allow interactive logins like Logon Types 2, 10, and 11, this presents a way for a person to exploit privileges that administrators might have not originally given to that person. 1) Configure your service accounts to deny interactive logons With this in mind, does your organization have any controls or practices set in place to mitigate the risk of service accounts misuse? If your organization is looking for additional controls or practices, here’s a few practices you can implement to help combat the attack vector that service accounts present. However, many organizations overlook the risk associated with these accounts during configuration and implementation, leaving them vulnerable to attack.
Malicious actors understand that service accounts typically have higher privileges than normal user accounts, and often target these accounts and their associated privileges in order to move laterally within an environment. Depending on the service and how the service account is configured, service accounts can have a range of different privilege levels. Service accounts, by design, are created to perform specific tasks for services running on endpoints.
0 kommentar(er)
