Learn about service account misconfiguration and how to mitigate this risk.
Inadequate management of service accounts can pose a security risk, as they may offer
attackers
an entry point to systems and sensitive data. To mitigate this risk, it is crucial
to limit the
permissions granted to service accounts to only what is necessary for their designated
tasks. If
a service account requires elevated permissions, such as Global Administrator access,
it is
advisable to assess the reasons for this level of access and minimize permissions
wherever
possible.
Examples of high-privilege permissions:
Application.ReadWrite.AllDirectory.ReadWrite.AllFiles.ReadWrite.AllMailboxSettings.ReadWriteUser.ReadWrite.All
 |
NoteA service account should not have higher privileges than the user account that manages
it.
This can occur if the service account is managed by a regular account. In Active Directory,
a
regular account is an account that is not a member of Administrators, Domain Admins,
or
Enterprise Admins.
|
Here are some best practices to follow:
-
The permissions of the service account owner should be equal or greater than the service account they manage.
-
Use only the minimum required permissions for the service account to function. For more information, see Microsoft's guidance on the principle of least privileges.
-
If the service account requires certain permissions, consider elevating the regular account's permissions or assigning another owner.
|
Note"Service Account Misconfiguration" risks cannot be added to the exception list.
|