Protecting Privileged Accounts: Service Account Logon Limitations
Service accounts are a required component of every organization. They are often not as secured as they need to be, however, which makes them the perfect candidate for an attack. Taking the extra time to secure these accounts can mean all the difference when attackers target your Active Directory.
Since service accounts are dedicated to one or only a handful of services they support, they should be limited to only the servers where the service is running. For example, if the service account is supporting a dedicated SQL database that houses the HR content, the service account can be limited to only the server where the SQL DB is running.
To accomplish this, the service account within AD will be configured to only have the ability to log on to this server, which you can see in Figure 1.
This alone will help control which computers this account can log on to, but it will also prove beneficial if the account is being attacked. As long as you have a solution looking for password attacks, this is ideal. There should not be any attempts for this account to log on to any computer other than SQL4. If there is, the account is under attack!
Every service account should have a limited list of computers they can log on to. This will reduce the attack surface, allowing you to better monitor for failed logons and give you insights into when these accounts are under a password attack.