Special-purpose Windows service accounts are more secure than generic domain user accounts, but it's important to choose the right service account for the right task.
One of the fundamental rules for running an application within a Windows operating system is that the application will be able to run only if it has sufficient permissions to do so. If an application is run interactively, then the application will normally inherit the permissions of the user who is running the application. Microsoft Word is able to run on Windows 10, for example, not because Windows recognizes Word as a trustworthy application (although there are mechanisms for that, too), but because the user who is running Word has sufficient permissions to do so.
Unlike desktop applications such as Microsoft Word, most server applications do not run interactively. As such, these applications get their permissions from service accounts. Early on, service accounts were little more than standard domain user accounts. Eventually, though, hackers began targeting service accounts because those accounts commonly had special permissions associated with them. To keep that from happening, Microsoft recommends that you use special-purpose Windows service accounts rather than generic domain user accounts.
There are three main types of service accounts currently supported by Windows. Here's what you need to know about each to help ensure that you are using the right one.
1. Standalone Managed Service Accounts
Standalone managed service accounts are essentially local accounts that can be used to convey permissions on an application. Like a typical local account, standalone managed service accounts are specific to a particular computer. As such, an account cannot be copied to another system, nor can it be used to support a highly available application running in a failover cluster, because that would require the account to be replicated to each cluster node.
One of the key differences between a standalone managed service account and a local account is that standalone managed service accounts are designed to overcome the challenges associated with password management. Imagine for a moment that an administrator were to create a standard local account and use it as a service account for a particular application. In doing so, the administrator would most likely make it so that the account’s password never expires (which may constitute a security risk). Otherwise, it is possible that a password expiration would go unnoticed until the application that is tied to the account began to malfunction. At that point, an administrator would have to log into the system and manually reset the password.
With standalone managed service accounts, administrators do not have to worry about passwords; for Windows will automatically reset the account passwords when necessary.
2. Group Managed Service Accounts
The second type of service account that you need to be aware of is the group managed service account. Whereas standalone managed service accounts are roughly analogous to local accounts, group managed service accounts are essentially a type of domain account. They can be used in situations in which a service account needs to service multiple servers. However, there are some caveats to using this type of service account.
The most important thing that you need to understand about group managed service accounts is that they are primarily intended to be used with load balanced applications or within a server farm that is tied to a specific application. Contrary to what you might assume, group managed service accounts are not intended for use with clusters.
This is not to say that these accounts can never be used in conjunction with a highly available application. According to Microsoft, a group managed service account (or even a standalone managed service account) can be used with a clustered application (but not within the cluster itself), so long as the application is a Windows service, an app pool or a scheduled task. The account can also be used if the application natively supports the use of managed service accounts.
3. Virtual Accounts
The third type of service account that you should be aware of is a virtual account. Virtual accounts are another type of local account, and are often created automatically when an application is being installed. The nice thing about virtual accounts is that Windows handles all of the management tasks for you. You don’t even have to worry about the password.
Virtual accounts are commonly tied to a specific service and use a name such as SERVICE\<service name>. If the associated application needs to access network resources, then it does so by leveraging the machine’s Active Directory computer account.
Using a special-purpose Windows service account makes more sense than using a generic domain user account--but it's important to use the right Windows service account.