Views:

Learn about service account misconfiguration and how to mitigate this risk.

Inadequate management of service accounts can pose a security risk, as they may offer attackers an entry point to systems and sensitive data. To mitigate this risk, it is crucial to limit the permissions granted to service accounts to only what is necessary for their designated tasks. If a service account requires elevated permissions, such as Global Administrator access, it is advisable to assess the reasons for this level of access and minimize permissions wherever possible.
Examples of high-privilege permissions:
  • Application.ReadWrite.All
  • Directory.ReadWrite.All
  • Files.ReadWrite.All
  • MailboxSettings.ReadWrite
  • User.ReadWrite.All
Note
Note
A service account should not have higher privileges than the user account that manages it. This can occur if the service account is managed by a regular account. In Active Directory, a regular account is an account that is not a member of Administrators, Domain Admins, or Enterprise Admins.
Here are some best practices to follow:
  • The permissions of the service account owner should be equal or greater than the service account they manage.
  • Use only the minimum required permissions for the service account to function. For more information, see Microsoft's guidance on the principle of least privileges.
  • If the service account requires certain permissions, consider elevating the regular account's permissions or assigning another owner.
Note
Note
"Service Account Misconfiguration" risks cannot be added to the exception list.