As a general rule, when creating service accounts to work with applications, special care should be taken to ensure that the services have only the rights they need to do their jobs. Rather than simply making a service account a local administrator on a given server, take the time to determine what rights it actually needs and grant them through the Local Security Policy editor.
1. Click Start, Administrative Tools, and Local Security Policy.
2. Expand Local Policies.
3. Click User Rights Assignment, as shown in Figure 12.14.
4. Choose a right that needs to be granted from the right pane and double-click it.
5. On the Local Security Setting tab, click Add User or Group.
6. Add the service account into the available window, and click Check Names. Click OK.
7. Click OK again to grant the right.
Some local rights that are typically granted for applications include
• Access this computer from the network
• Allow log on locally
• Back up files and directories
• Load and unload device drivers
• Log on as a service
These types of granular rights can easily replace the need to make a service account a local administrator on a server. Coupling limited rights with a Managed Service Account can greatly reduce the possibility of a high privilege account from becoming comprimised and used to take control of a system.