How can I make sure that no one logs on by using the Windows NT service accounts that my company's critical applications use?
An easy way to restrict use of the service accounts is to link to the accounts a logon script that calls logoff.exe with the /F and /N parameters specified. (Logoff.exe comes bundled with the Microsoft Windows NT Server 4.0 Resource Kit.) The /F parameter forces processes to close when logoff.exe is executed. The /N parameter forces processes to close without confirmation when logoff.exe is executed. When you protect an account with logoff.exe and the two parameters, anyone who attempts to interactively log on with the account will immediately be logged off. For this solution to work, you obviously must make sure that the tool is available on all machines in your domain.