Securing Service Accounts
Updated: March 28, 2003
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Most services have specific functions, so it is best to grant them only those rights that are required for the services to perform those functions. In this way, if attackers compromise a service account, they have limited access and can do only a limited amount of damage. If a service account has rights that extend beyond its specific function, an attacker who compromises the account can do extensive damage.
To ensure maximum security, avoid running services on domain controllers. For example, do not make your domain controller a mail server, Web server, and file and print server. Adding multiple services on a critical link such as the domain controller is risky, because it increases the complexity of the system and therefore increases the potential for compromise. A problem with a print server that might otherwise only give an attacker the ability to create unauthorized print jobs can instead grant the attacker access to Active Directory, a critical data repository. The security benefits of using separate computers for services outweigh the initial investment in hardware equipment.
Also, you might need to reset service account passwords. Do not modify service accounts unless a problem occurs that interferes with the functioning of a service.
To reset service account passwords
In Active Directory Users and Computers, right-click the user’s account.
Click Reset Password.
Enter and confirm the new password.
You must ensure that the service uses the newly selected password before the service can take advantage of the reset password. Ensure that the password that the service uses and the password that you reset the service account to have are the same.