Service accounts carry privileges that allow them to perform actions on computers where they are configured, as well as communicate with other computers on the network. Attackers like to target service accounts due to these privileges, as well as the fact that many organizations do not change the password for these accounts very often. Once an attacker has obtained the credentials they need to access the network as a service account, it is nearly impossible to track and monitor their behavior. However, if you limit where the compromised service account can log on, the attacker will be restricted to only a few computers, if not just one..
In order to limit which computers a service account can log on to, you first need to know which computers the service account is configured on. For Windows services, you can use our free Service Account Management Tool to scan all of your Windows computers and identify all configured service accounts.
Once you have a list of which computers each service account is configured on, you can then limit the service account to only log on to those computers. To do this, you just need to go to each user account property in Active Directory Users and Computers, then configure the Log On To option found under the Account tab. Figures 1 and 2 show you what this might look like.
Figure 1. The Account tab for a user account.
Figure 2. Computers the user account can log on to.
After you configure the account settings, the user account (a service account in this case) is limited to only the computers listed. Even if the attacker obtains the credentials for this service account, they can only log on to the listed computers, substantially reducing the attack surface for these accounts.
