A. Often, administrators create specific accounts for certain services to run under (although more products are now taking advantage of Local System to avoid this requirement). The concern is that these service accounts have a password that's known by certain people and can be a cause for concern because users can log on as this account, making it hard to track their activities. When an administrator leaves, his or her account might be disabled but service accounts might not have their passwords changed. One way to protect these accounts is to stop users from being able to use them to log on. You can do so by removing the following rights from these accounts:
- Log on locally. This right lets you log on at the console with the account.
- Access this computer from the network. This right enables access to resources (e.g., a shared folder) on other computers (although if the service needs to access remote resources you can't disable this right).
- Log on through Terminal Services. This right lets you log on via Windows 2000 Server Terminal Services.
Under usual circumstances, service accounts require only the "Log on as a service" right, so ensure that they have this permission, but again, if the service requires remote access to other resources, it might need the "Access this computer from the network" right. The easiest way to remove the three rights is to create a group and place all the service-type accounts in this group. Then create a Group Policy Object (GPO) that denies the rights discussed and apply it at a level that will affect all user accounts, (e.g., the domain), as the figure shows. A deny always overrides an allow.
